CVE-2026-55590

Severity CVSS v4.0:
MEDIUM
Type:
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Publication date:
09/07/2026
Last modified:
09/07/2026

Description

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue is fixed in versions 2.11.1, 3.3.6, and 4.1.1.