diff --git a/src/Controller/Component/SecurityComponent.php b/src/Controller/Component/SecurityComponent.php
index 3afd659cf05..1aa416b85fd 100644
--- a/src/Controller/Component/SecurityComponent.php
+++ b/src/Controller/Component/SecurityComponent.php
@@ -306,7 +306,7 @@ protected function _validatePost(Controller $controller)
         $multi = [];
 
         foreach ($fieldList as $i => $key) {
-            if (preg_match('/(\.\d){1,10}$/', $key)) {
+            if (preg_match('/(\.\d+){1,10}$/', $key)) {
                 $multi[$i] = preg_replace('/(\.\d+){1,10}$/', '', $key);
                 unset($fieldList[$i]);
             } else {
diff --git a/tests/TestCase/Controller/Component/SecurityComponentTest.php b/tests/TestCase/Controller/Component/SecurityComponentTest.php
index 133613e1882..a5e1d2e66fd 100644
--- a/tests/TestCase/Controller/Component/SecurityComponentTest.php
+++ b/tests/TestCase/Controller/Component/SecurityComponentTest.php
@@ -500,6 +500,12 @@ public function testValidatePostArray()
             '_Token' => compact('fields', 'unlocked')
         ];
         $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
+
+        $this->Controller->request->data = [
+            'Model' => ['multi_field' => [12 => '1',  20 => '3']],
+            '_Token' => compact('fields', 'unlocked')
+        ];
+        $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
     }
 
     /**