Backslash Bypass Vulnerability in CakePHP Authentication Plugin
CVE-2026-55590
5.1MEDIUM
What is CVE-2026-55590?
The CakePHP Authentication Plugin has a vulnerability in the getLoginRedirect() method, which allows the manipulation of redirect targets via the redirect query string parameter. This flaw enables attackers to exploit backslash bypass techniques, potentially leading to unauthorized redirections to malicious sites. Developers are advised to upgrade to the patched versions 2.11.1, 3.3.6, or 4.1.1 to mitigate this risk. For more details, see the relevant security advisories and commits on GitHub.
Affected Version(s)
authentication < 2.11.1 < 2.11.1
authentication >= 3.0.0, < 3.3.6 < 3.0.0, 3.3.6
authentication >= 4.0.0, < 4.1.1 < 4.0.0, 4.1.1
