EUVD-2026-24182CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0.
AnalysisAI
Unlimited credential brute-forcing against blueprintUE Self-Hosted Edition login form allows remote attackers to enumerate valid accounts and compromise credentials through dictionary attacks, credential stuffing, or exhaustive guessing. The login handler (versions prior to 4.2.0) implements zero rate limiting, no progressive delays, no account lockouts, and no CAPTCHA challenges, enabling attackers to submit authentication attempts at full network speed. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all blueprintUE Self-Hosted Edition deployments and document current versions; enable network-level WAF or IP-based rate limiting rules targeting the login endpoint at ≤10 requests per minute per source IP. Within 7 days: Implement application-level protections-deploy a reverse proxy with authentication rate limiting, enable progressive login delays (exponential backoff starting at 1 second), and if available, integrate CAPTCHA or similar challenge mechanisms on the login form. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today