CVE-2026-55590
Awaiting Analysis Awaiting Analysis - Queue

Authentication Bypass in CakePHP via Backslash Redirect

Vulnerability report for CVE-2026-55590, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue is fixed in versions 2.11.1, 3.3.6, and 4.1.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
cakephp authentication 2.11.1
cakephp authentication 3.3.6
cakephp authentication 4.1.1
cakephp authentication to 2.11.1 (exc)
cakephp authentication to 3.3.6 (exc)
cakephp authentication to 4.1.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55590 is an open redirect vulnerability in the CakePHP Authentication plugin's getLoginRedirect() function. The issue arises because the function improperly handles backslashes (\) in redirect URLs. Browsers normalize these backslashes to forward slashes (/), which allows attackers to bypass security checks and craft redirect URLs that point to attacker-controlled or malicious domains.

This vulnerability allows an attacker to manipulate the redirect query string parameter to redirect users to untrusted external sites, potentially leading to phishing or other malicious activities.

The vulnerability was fixed by normalizing backslashes to forward slashes, rejecting redirect paths starting with // or \\, and adding validation to block paths containing backslashes.

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect users of your application to malicious websites through crafted redirect URLs.

Such open redirects can be exploited for phishing attacks, where users are tricked into believing they are navigating within a trusted site but are instead sent to harmful domains.

This can lead to loss of user trust, potential credential theft, and other security risks associated with malicious redirects.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an open redirect weakness in the getLoginRedirect() function of the CakePHP Authentication plugin, where attacker-controlled redirect URLs with backslashes can bypass security checks.

To detect this vulnerability on your system or network, you can monitor HTTP requests for suspicious redirect query string parameters that contain backslashes (\) or redirect URLs starting with double slashes (//) or backslashes (\\). These patterns may indicate attempts to exploit the open redirect weakness.

Example commands to detect such attempts in web server logs (assuming Apache or Nginx logs) include:

  • grep -i 'redirect=.*\\' /var/log/apache2/access.log
  • grep -E 'redirect=.*(\\\\|//)' /var/log/nginx/access.log
  • Use network monitoring tools or intrusion detection systems to flag HTTP responses with Location headers containing backslashes or suspicious redirect URLs.

Additionally, testing the application by sending crafted requests with redirect parameters containing backslashes or double slashes and observing if the application redirects to external domains can help confirm the vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade the CakePHP Authentication plugin to a fixed version that addresses this vulnerability.

  • Upgrade to version 2.11.1, 3.3.6, or 4.1.1 of the CakePHP Authentication plugin, where the vulnerability in getLoginRedirect() has been fixed.

If upgrading immediately is not possible, apply validation on the redirect query string parameter to reject or sanitize values containing backslashes (\), or those starting with double slashes (//) or backslashes (\\), to prevent open redirect attacks.

The fix implemented in the patched versions includes normalizing backslashes to forward slashes, rejecting redirect paths starting with // or \\, and ensuring no backslashes remain in the parsed redirect path.

Monitoring and blocking suspicious redirect attempts at the application or web server level can also help mitigate exploitation risks until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55590. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart