PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55590 cakephp CVE debrief

The CakePHP Authentication plugin has a vulnerability prior to versions 2.11.1, 3.3.6, and 4.1.1. The getLoginRedirect() method contains a weakness to backslash bypasses, allowing redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue affects developers and administrators using the plugin. Patches are available to prevent potential redirects to malicious hostnames.

Vendor
cakephp
Product
authentication
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-13
Advisory published
2026-07-09
Advisory updated
2026-07-13

Who should care

Developers and administrators using CakePHP Authentication plugin versions prior to 2.11.1, 3.3.6, and 4.1.1 should apply patches to prevent potential redirects to malicious hostnames. Security teams and vulnerability management teams should review and track this vulnerability.

Technical summary

The vulnerability exists in the getLoginRedirect() method of the CakePHP Authentication plugin. An attacker can exploit this weakness by providing a specially crafted redirect query string parameter, potentially redirecting users to malicious hostnames. Affected versions are prior to 2.11.1, 3.3.6, and 4.1.1. Developers should apply patches or restrict redirect query string parameters. This issue affects developers and administrators using the plugin, who should review official advisories and track vendor updates to ensure secure configurations and protect against potential redirects to malicious hostnames.

Defensive priority

Medium

Recommended defensive actions

  • Apply patches to upgrade to CakePHP Authentication plugin versions 2.11.1, 3.3.6, or 4.1.1.
  • Review and restrict redirect query string parameters to prevent potential bypasses.
  • Monitor for suspicious redirect activity.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-09T19:17:06.670Z and last modified on 2026-07-13T17:09:24.243Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify affected deployments, review official advisories, and track vendor updates.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T19:17:06.670Z and has not been modified since then. The NVD entry is currently Analyzed.