Skip to main content

blueprintUE CVE-2026-40585

| EUVDEUVD-2026-24181 HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-04-21 security-advisories@github.com
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 21:16 nvd
Patch available
Patch available
Apr 21, 2026 - 19:01 EUVD
Re-analysis Queued
Apr 21, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 17:36 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24181
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
HIGH 7.4

DescriptionGitHub Advisory

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair - it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.

AnalysisAI

Password reset tokens in blueprintUE self-hosted edition remain valid indefinitely, allowing attackers who intercept a reset link to compromise accounts at any future time. The vulnerability affects all versions prior to 4.2.0. While exploitation requires initial interception of a password reset token (AC:H), successful exploitation grants persistent unauthorized access with high confidentiality and integrity impact but no availability impact (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, score 7.4). No active exploitation, KEV listing, or public POC identified at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) in blueprintUE, a self-hosted toolset for Unreal Engine developers. The application generates cryptographically secure 128-character tokens using a CSPRNG for password resets and stores them with a password_reset_at timestamp. However, the token validation function findUserIDFromEmailAndToken() implements incomplete security logic by querying only the email and token pair without enforcing temporal constraints. Standard security practice requires password reset tokens to expire after a short window (typically 15 minutes to 1 hour) to limit the exposure window if intercepted. By omitting timestamp validation, the implementation violates the principle of time-bound authentication credentials, converting a time-sensitive security control into a persistent access mechanism.

RemediationAI

Upgrade to blueprintUE self-hosted edition version 4.2.0 or later, which implements proper timestamp validation in the token redemption function to enforce expiration windows. Vendor advisory at https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf provides release details. For installations unable to upgrade immediately, implement compensating controls including: force-expire all existing password reset tokens by clearing the password_reset and password_reset_at database columns, require TLS for all email transport to reduce interception risk (note: does not protect against email server compromise), enable MFA if supported to reduce impact of password-only compromise (limits but does not eliminate risk since valid tokens still allow password changes), and monitor for password reset requests followed by long delays before redemption as potential indicators of token harvesting. Note that database-level token clearing is disruptive to legitimate users with pending resets and MFA only mitigates post-compromise access rather than preventing the password change itself.

Share

CVE-2026-40585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy