PT-2026-50603 · Packagist · Cakephp/Authentication
Published
2026-06-17
·
Updated
2026-06-17
·
CVE-2026-55590
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Impact
The
getLoginRedirect() method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames.Patches
3.3.6 and 4.1.1 contain a fix for this issue.
Workarounds
If you are unable to upgrade, you should consider adding application validation to the redirect query string parameter to mitigate this vulnerability.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cakephp/Authentication