Backslash Bypass Vulnerability in CakePHP Authentication Plugin
CVE-2026-55590

5.1MEDIUM

Key Information:

Vendor

CakePHP

Vendor
CVE Published:
9 July 2026

What is CVE-2026-55590?

The CakePHP Authentication Plugin has a vulnerability in the getLoginRedirect() method, which allows the manipulation of redirect targets via the redirect query string parameter. This flaw enables attackers to exploit backslash bypass techniques, potentially leading to unauthorized redirections to malicious sites. Developers are advised to upgrade to the patched versions 2.11.1, 3.3.6, or 4.1.1 to mitigate this risk. For more details, see the relevant security advisories and commits on GitHub.

Affected Version(s)

authentication < 2.11.1 < 2.11.1

authentication >= 3.0.0, < 3.3.6 < 3.0.0, 3.3.6

authentication >= 4.0.0, < 4.1.1 < 4.0.0, 4.1.1

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.