Description
CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue is fixed in versions 2.11.1, 3.3.6, and 4.1.1.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-hhpq-7wg4-36jm | CakePHP Authentication: Open redirect weakness via backslash bypass |
References
History
Thu, 09 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 09 Jul 2026 19:15:00 +0000
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T19:18:12.885Z
Reserved: 2026-06-16T23:18:03.170Z
Link: CVE-2026-55590
Updated: 2026-07-09T19:18:08.745Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Github GHSA