Skip to main content

blueprintUE Self-Hosted Edition CVE-2026-40588

| EUVDEUVD-2026-24205 HIGH
Unverified Password Change (CWE-620)
2026-04-21 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 21:16 nvd
Patch available
Re-analysis Queued
Apr 22, 2026 - 14:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 18:48 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:45 euvd
EUVD-2026-24205
Analysis Generated
Apr 21, 2026 - 17:45 vuln.today
CVE Published
Apr 21, 2026 - 17:12 nvd
HIGH 8.1

DescriptionGitHub Advisory

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session - through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie - can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.

AnalysisAI

Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.

Technical ContextAI

blueprintUE is a tool for Unreal Engine developers with a web-based profile management interface. The vulnerability stems from CWE-620 (Unverified Password Change), where the password modification endpoint at /profile/{slug}/edit/ implements insufficient verification of account ownership. Standard secure password change flows require users to provide their current password before setting a new one, preventing session-based takeover attacks. This implementation omits that critical control, allowing any request authenticated with a valid session token to modify account credentials without proving knowledge of the existing password. The affected component is blueprintue-self-hosted-edition, indicating organizations running their own instances face exposure.

RemediationAI

Upgrade blueprintUE Self-Hosted Edition to version 4.2.0 or later, which implements current password verification in the password change form. Organizations should prioritize this upgrade for internet-facing instances and conduct password resets for accounts that may have been compromised during the vulnerable period. Until patching is complete, implement compensating controls: enforce HTTPS-only session cookies with Secure and HttpOnly flags to prevent session theft over unencrypted channels and XSS exploitation; reduce session timeout values to minimize exposure window for stolen sessions; disable 'remember me' functionality if enabled; implement IP-based session binding where feasible, noting this may impact users with dynamic IPs or VPN usage; monitor authentication logs for unexpected password change events, particularly multiple changes in short timeframes or changes from unusual geographic locations. Review web application firewall rules to detect automated password change attempts. Full mitigation details in GitHub advisory: https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x.

Share

CVE-2026-40588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy