CakePHP Authentication, Open Redirect (CWE-601), CVE-2026-55590 (MEDIUM) -DC-Jul2026-957

Listen to this Post

How CVE‑2026‑55590 Works

The CakePHP Authentication plugin provides a `getLoginRedirect()` helper method that applications use to send users back to a requested page after successful login. To preserve the user’s original destination, the method reads a `redirect` query string parameter from the incoming request and returns that value as the target URL.
Prior to patched versions (2.11.1, 3.3.6, and 4.1.1), `getLoginRedirect()` did not sufficiently validate or sanitize the `redirect` parameter. In particular, it failed to properly handle backslash (\) characters when parsing the URL. An attacker could exploit this by injecting a backslash into the redirect value, which would bypass the built‑in hostname validation logic.
For example, a typical open‑redirect check might verify that the redirect URL belongs to the same application domain. By crafting a payload such as https://trusted-domain.com\@evil.com`, the backslash tricks the parser into treating `evil.com` as the actual host while the visible part appears to be the trusted domain. The method would then return the attacker‑controlled `evil.com` URL, and the user’s browser would be redirected there after authentication.
This vulnerability is classified under CWE‑601: URL Redirection to Untrusted Site (‘Open Redirect’) . The attack vector is network‑based, requires no privileges, and needs user interaction (the victim must click a malicious link or be tricked into authenticating via a crafted URL). The CVSS v4 base score is 5.1 (MEDIUM) , with partial technical impact and no automatable exploitation according to CISA’s SSVC assessment.
The flaw exists in all versions before 2.11.1, all 3.x versions before 3.3.6, and all 4.x versions before 4.1.1. The fix was released on June 17, 2026, and involves proper URL validation that strips or rejects backslash‑based obfuscation. For users unable to upgrade immediately, the recommended workaround is to add custom application‑level validation to the `redirect` query parameter before passing it to
getLoginRedirect().
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: CakePHP Authentication
Version: <2.11.1, <3.3.6, <4.1.1
Vulnerability: Open redirect backslash bypass
Severity: MEDIUM (CVSS 5.1)
date: 2026-07-09 (NVD published)
<h2 style="color: blue;">Prediction: Patch already available (2026-06-17)</h2>
<h2 style="color: blue;">What Undercode Say: Analytics</h2>
- EPSS Score: 0.58% (probability of exploitation in the wild)
- SSVC Exploitation: none
- Automatable: no
- Technical Impact: partial
- CWE IDs: CWE-601, CWE-937, CWE-1035
- GitHub Advisory: GHSA-hhpq-7wg4-36jm
- CVSS v3.1 Vector: `AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`
- CVSS v4.0 Vector: `AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
<h2 style="color: blue;">Bash / Composer commands to check affected versions:</h2>

Check your installed version of cakephp/authentication
composer show cakephp/authentication
List all installed packages with versions
composer show --installed | grep authentication
Directly check if your version is vulnerable (example for 3.x)
php -r "echo version_compare('3.3.5', '3.3.6', '<') ? 'VULNERABLE' : 'OK';"

<h2 style="color: blue;">Code snippet showing the vulnerable method usage:</h2>

// Vulnerable pattern – no validation on redirect parameter
$redirect = $this->request->getQuery('redirect');
$target = $this->Authentication->getLoginRedirect($redirect);
return $this->redirect($target);

<h2 style="color: blue;">Exploit</h2>
An attacker crafts a malicious URL that includes a backslash to bypass hostname validation:

https://victim.com/login?redirect=https://trusted-domain.com\@evil.com/phishing

When a user clicks this link and completes authentication, `getLoginRedirect()` returnshttps://evil.com/phishing` instead of the trusted domain. The user is then transparently redirected to the attacker’s site, which can display a fake login page, steal session cookies, or deliver malware.
Alternative payloads using URL‑encoded backslash (%5C) may also work if the application does not decode before validation:

https://victim.com/login?redirect=https://trusted-domain.com%[email protected]

Because the vulnerability requires user interaction (clicking the link and logging in), it is not automatable, but it can be effectively used in phishing campaigns.

Protection

  1. Immediate Upgrade – Update to the fixed versions:

– For 2.x: upgrade to 2.11.1 or later
– For 3.x: upgrade to 3.3.6 or later
– For 4.x: upgrade to 4.1.1 or later

composer require cakephp/authentication:^3.3.6
or for 4.x
composer require cakephp/authentication:^4.1.1

2. Workaround (if upgrade is not possible) – Add application‑level validation to the `redirect` query parameter before passing it to getLoginRedirect():

$redirect = $this->request->getQuery('redirect');
// Reject any URL that contains a backslash or is not on the allowed domain list
if (strpos($redirect, '\') !== false || !$this->isTrustedHost($redirect)) {
$redirect = null;
}
$target = $this->Authentication->getLoginRedirect($redirect);

3. Use `AllowedDomains` whitelist – Implement a strict whitelist of permitted redirect hosts and reject anything else.
4. Enable framework‑level URL validation – CakePHP’s `Router::url()` and `UrlHelper` can be used to validate that the redirect target is internal.

Impact

  • Phishing Attacks – Attackers can redirect authenticated users to look‑alike malicious sites to steal credentials, personal information, or session tokens.
  • Loss of User Trust – Users may be tricked into interacting with fraudulent pages that appear to come from the legitimate application.
  • Reputation Damage – Successful exploitation can harm the organization’s brand and lead to regulatory scrutiny if user data is compromised.
  • Partial Integrity Violation – The CVSS vector indicates low integrity impact, meaning an attacker can manipulate the redirect flow but cannot directly modify system data.
  • Wide Affected Base – Since CakePHP is a popular PHP framework, thousands of applications using the Authentication plugin in vulnerable versions are exposed until patched.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top