Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0.
AnalysisAI
Unlimited credential brute-forcing against blueprintUE Self-Hosted Edition login form allows remote attackers to enumerate valid accounts and compromise credentials through dictionary attacks, credential stuffing, or exhaustive guessing. The login handler (versions prior to 4.2.0) implements zero rate limiting, no progressive delays, no account lockouts, and no CAPTCHA challenges, enabling attackers to submit authentication attempts at full network speed. While a strong password policy is enforced (10+ characters, mixed case, digit, special), this does not prevent attacks using breached credential databases or targeted guessing against predictable passwords. EPSS exploitation probability data not available; no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
This is a classic authentication bypass weakness (CWE-307: Improper Restriction of Excessive Authentication Attempts) in a web application login mechanism. The blueprintUE Self-Hosted Edition product, a developer tool for Unreal Engine workflows, exposes an HTTP-based authentication endpoint that processes login requests without implementing any defensive throttling mechanisms. The vulnerability exists at the application layer where credential validation occurs. Modern secure authentication systems typically implement multiple defensive layers: rate limiting at the web server or application firewall level (requests per IP per time window), account-level attempt counters (lockout after N failures), progressive delays (exponential backoff), and human verification challenges (CAPTCHA after threshold). The complete absence of these controls creates a testing environment where attackers can submit thousands of authentication attempts per second limited only by network bandwidth and server processing capacity. The CVSS vector AV:N indicates this is remotely exploitable over standard network protocols, likely HTTP/HTTPS to the login form endpoint.
RemediationAI
Upgrade to blueprintUE Self-Hosted Edition version 4.2.0 or later, which implements authentication throttling controls per the vendor security advisory at https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2. The patch introduces rate limiting and related protective mechanisms to the login handler. For environments where immediate patching is not feasible, implement compensating controls at the network perimeter: configure web application firewall (WAF) or reverse proxy (nginx, Apache, Cloudflare) rules to enforce rate limiting on the login endpoint (recommend maximum 5 authentication attempts per source IP per 5-minute window, adjust based on legitimate user patterns), which effectively replicates the missing application-layer control with minimal user impact for legitimate users but may cause friction in NAT environments where many users share a single public IP. Deploy IP allowlisting to restrict login form access to known corporate IP ranges if remote access patterns permit, reducing attack surface but eliminating access from mobile/home networks. Enable comprehensive authentication logging and configure SIEM alerts for rapid successive failed login attempts (10+ failures from single IP within 60 seconds) to enable incident response even without automated blocking. Consider mandatory multi-factor authentication (MFA) for all accounts if the platform supports it, which provides defense-in-depth even if passwords are compromised. These compensating controls introduce operational overhead (WAF rule maintenance, false positive handling for shared IPs, SIEM tuning) and should be treated as temporary measures pending upgrade to patched version.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24182