CakePHP 4.0.6 Released

The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.6. This is a maintenance release for the 4.0 branch that fixes several community reported issues and a low risk security issue in our CSRF protection middleware.


You can expect the following changes in 4.0.6. See the changelog for every commit.

  • Nirmal Kirubakaran contacted us via the security mailing list and disclosed a vulnerability in our CSRF token generation. If an attacker were to use an XSS vulnerabiity or physical access to fixate a CSRF token they could then exploit additional CSRF attacks. In this release generated tokens contain an HMAC signed with Security.salt. This ensures the tokens were generated by the same application that receives them. CSRF tokens generated in previous versions will now be rejected by 4.0.6 as they do not contain the HMAC.
  • Improved session access in IntegrationTestTrait through the new getTestSession() method.
  • Fixed generation of pagination links on / URLs.
  • cake plugin unload and cake plugin load now handle vendor namespaced plugins.
  • Validation::inList() no longer emits a warning on a non-scalar values.
  • Schema reflection stored procedures in SQLServer now work in case sensitive configurations.
  • Email message wrapping no longer emits errors when lines are the same length as the wrap length.
  • App::path() now resolves locale files for plugins.

Contributors to 4.0.6

Thank you to all the contributors that helped make this release happen:

  • ADmad
  • Corey Taylor
  • Mark Scherer
  • Mark Story
  • Nicolas

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

Download a packaged release on github.