Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair - it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.
AnalysisAI
Password reset tokens in blueprintUE self-hosted edition remain valid indefinitely, allowing attackers who intercept a reset link to compromise accounts at any future time. The vulnerability affects all versions prior to 4.2.0. While exploitation requires initial interception of a password reset token (AC:H), successful exploitation grants persistent unauthorized access with high confidentiality and integrity impact but no availability impact (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, score 7.4). No active exploitation, KEV listing, or public POC identified at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) in blueprintUE, a self-hosted toolset for Unreal Engine developers. The application generates cryptographically secure 128-character tokens using a CSPRNG for password resets and stores them with a password_reset_at timestamp. However, the token validation function findUserIDFromEmailAndToken() implements incomplete security logic by querying only the email and token pair without enforcing temporal constraints. Standard security practice requires password reset tokens to expire after a short window (typically 15 minutes to 1 hour) to limit the exposure window if intercepted. By omitting timestamp validation, the implementation violates the principle of time-bound authentication credentials, converting a time-sensitive security control into a persistent access mechanism.
RemediationAI
Upgrade to blueprintUE self-hosted edition version 4.2.0 or later, which implements proper timestamp validation in the token redemption function to enforce expiration windows. Vendor advisory at https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf provides release details. For installations unable to upgrade immediately, implement compensating controls including: force-expire all existing password reset tokens by clearing the password_reset and password_reset_at database columns, require TLS for all email transport to reduce interception risk (note: does not protect against email server compromise), enable MFA if supported to reduce impact of password-only compromise (limits but does not eliminate risk since valid tokens still allow password changes), and monitor for password reset requests followed by long delays before redemption as potential indicators of token harvesting. Note that database-level token clearing is disruptive to legitimate users with pending resets and MFA only mitigates post-compromise access rather than preventing the password change itself.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24181