We support fixing security issues on the following releases:
| Version | Supported | Security fixes until |
|---|---|---|
| 5.0 | ✅ | The release of 5.2 |
| 4.5 | ✅ | 36 Months after the release of 5.0 (09 Sep 2026) |
| 4.4 | ✅ | 36 Months after the release of 5.0 (09 Sep 2026) |
| 4.3 | ✅ | 36 Months after the release of 5.0 (09 Sep 2026) |
| 4.2 | ❌ | No longer supported |
| 4.1 | ❌ | No longer supported |
| 4.0 | ❌ | No longer supported |
| 3.10.x | ❌ | No longer supported |
| 2.10.x | ❌ | No longer supported |
If you’ve found a security issue in CakePHP, please use the following procedure instead of the normal bug reporting system. Instead of using the bug tracker, or one of the support forums please send an email to security [at] cakephp.org. Emails sent to this address go to the CakePHP core team on a private mailing list.
For each report, we try to first confirm the vulnerability. Once confirmed, the CakePHP team will take the following actions:
- Acknowledge to the reporter that we’ve received the issue, and are working on a fix. We ask that the reporter keep the issue confidential until we announce it.
- Get a fix/patch prepared.
- Prepare a post describing the vulnerability, and the possible exploits.
- Release new versions of all affected versions.
- Prominently feature the problem in the release announcement