CVE-2026-55590
Awaiting Analysis
Awaiting Analysis - Queue
Authentication Bypass in CakePHP via Backslash Redirect
Vulnerability report for CVE-2026-55590, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: GitHub, Inc.
Description
Description
CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue is fixed in versions 2.11.1, 3.3.6, and 4.1.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cakephp | authentication | 2.11.1 |
| cakephp | authentication | 3.3.6 |
| cakephp | authentication | 4.1.1 |
| cakephp | authentication | to 2.11.1 (exc) |
| cakephp | authentication | to 3.3.6 (exc) |
| cakephp | authentication | to 4.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |