Platform
nodejs
Component
blueprintue-self-hosted-edition
Fixed in
4.2.1
CVE-2026-40586 affects blueprintUE Self-Hosted Edition, a tool for Unreal Engine developers. This vulnerability stems from a complete absence of throttling mechanisms on the login form handler, allowing attackers to rapidly submit numerous login attempts. This lack of protection enables dictionary attacks and credential stuffing, potentially compromising user accounts and sensitive project data. The vulnerability impacts versions 0.0.0 through 4.1.9, and a fix is available in version 4.2.0.
The primary impact of CVE-2026-40586 is the potential for successful credential stuffing and dictionary attacks. Without rate limiting, an attacker can exhaustively attempt various username/password combinations, significantly increasing the likelihood of gaining unauthorized access. Successful exploitation could lead to the compromise of developer accounts, access to sensitive Unreal Engine projects, and potentially the exfiltration of intellectual property. The absence of any throttling mechanism means the attack can proceed at full network speed, making it particularly effective. This vulnerability shares similarities with other login-related vulnerabilities where inadequate rate limiting is present, allowing for brute-force and credential stuffing attempts.
CVE-2026-40586 was publicly disclosed on 2026-04-21. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The absence of throttling makes this vulnerability attractive to automated credential stuffing tools, and it is possible that it will be added to automated attack lists. The relatively low complexity of exploitation suggests a moderate risk of future exploitation.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40586 is to immediately upgrade to blueprintUE Self-Hosted Edition version 4.2.0 or later, which includes the necessary login throttling mechanisms. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rate-limiting rules to restrict the number of login attempts from a single IP address within a given timeframe. Specifically, configure the WAF to limit requests to the login endpoint (/login or similar) to a reasonable number (e.g., 5-10 attempts per minute per IP). Monitor login logs for unusual activity, such as a high volume of failed login attempts originating from a single source. While not a complete solution, this can provide a temporary layer of protection.
Update to version 4.2.0 or higher to mitigate the vulnerability. This version implements security measures such as rate limiting, account lockout, and brute-force protection at the login endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40586 is a HIGH severity vulnerability in blueprintUE Self-Hosted Edition where the login form lacks throttling, allowing attackers to attempt unlimited login credentials.
Yes, if you are using blueprintUE Self-Hosted Edition versions 0.0.0 through 4.1.9, you are potentially affected by this vulnerability.
Upgrade to blueprintUE Self-Hosted Edition version 4.2.0 or later to implement login throttling and mitigate the risk.
Currently, there is no confirmed active exploitation of CVE-2026-40586, but the lack of throttling makes it a potential target for automated attacks.
Refer to the official blueprintUE security advisory for detailed information and updates: [https://blueprintue.com/security/advisories](https://blueprintue.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.