Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session - through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie - can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.
AnalysisAI
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.
Technical ContextAI
blueprintUE is a tool for Unreal Engine developers with a web-based profile management interface. The vulnerability stems from CWE-620 (Unverified Password Change), where the password modification endpoint at /profile/{slug}/edit/ implements insufficient verification of account ownership. Standard secure password change flows require users to provide their current password before setting a new one, preventing session-based takeover attacks. This implementation omits that critical control, allowing any request authenticated with a valid session token to modify account credentials without proving knowledge of the existing password. The affected component is blueprintue-self-hosted-edition, indicating organizations running their own instances face exposure.
RemediationAI
Upgrade blueprintUE Self-Hosted Edition to version 4.2.0 or later, which implements current password verification in the password change form. Organizations should prioritize this upgrade for internet-facing instances and conduct password resets for accounts that may have been compromised during the vulnerable period. Until patching is complete, implement compensating controls: enforce HTTPS-only session cookies with Secure and HttpOnly flags to prevent session theft over unencrypted channels and XSS exploitation; reduce session timeout values to minimize exposure window for stolen sessions; disable 'remember me' functionality if enabled; implement IP-based session binding where feasible, noting this may impact users with dynamic IPs or VPN usage; monitor authentication logs for unexpected password change events, particularly multiple changes in short timeframes or changes from unusual geographic locations. Review web application firewall rules to detect automated password change attempts. Full mitigation details in GitHub advisory: https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x.
Same weakness CWE-620 – Unverified Password Change
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24205