Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered URL requires victim interaction (UI:R); no attacker privileges needed; limited confidentiality impact from phishing; no server integrity or availability impact.
Primary rating from Vendor (https://github.com/cakephp/authentication).
CVSS VectorVendor: https://github.com/cakephp/authentication
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Impact
The getLoginRedirect() method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames.
Patches
3.3.6 and 4.1.1 contain a fix for this issue.
Workarounds
If you are unable to upgrade, you should consider adding application validation to the redirect query string parameter to mitigate this vulnerability.
AnalysisAI
Open redirect in CakePHP Authentication's getLoginRedirect() method exposes users of affected applications to attacker-controlled redirects via backslash character bypass of hostname validation logic. Applications running cakephp/authentication below 3.3.6 (3.x branch) or between 4.0.0 and 4.1.1 (4.x branch) are vulnerable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to use the CakePHP Authentication plugin's `getLoginRedirect()` method to resolve post-login redirect destinations from a query string or POST parameter, and the attacker must be able to deliver a crafted URL containing a backslash-prefixed external hostname to a victim user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score is provided in the available data, preventing quantitative risk scoring. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a user of a CakePHP application constructs a login URL such as `https://trusted-app.example.com/login?redirect=\\attacker.com/fake-login` and delivers it via a phishing email or malicious link. The victim navigates to the legitimate login page, enters their credentials normally, and is silently forwarded to the attacker-controlled domain after authentication completes - where a credential-harvesting page awaits. … |
| Remediation | Upgrade `cakephp/authentication` to version 3.3.6 (for 3.x installations) or 4.1.1 (for 4.x installations), as confirmed by the vendor advisory at https://github.com/cakephp/authentication/security/advisories/GHSA-hhpq-7wg4-36jm. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42674
GHSA-hhpq-7wg4-36jm