Plateforme
nodejs
Composant
blueprintue-self-hosted-edition
Corrigé dans
4.2.1
CVE-2026-40586 affects blueprintUE Self-Hosted Edition, a tool for Unreal Engine developers. This vulnerability stems from a complete absence of throttling mechanisms on the login form handler, allowing attackers to rapidly submit numerous login attempts. This lack of protection enables dictionary attacks and credential stuffing, potentially compromising user accounts and sensitive project data. The vulnerability impacts versions 0.0.0 through 4.1.9, and a fix is available in version 4.2.0.
The primary impact of CVE-2026-40586 is the potential for successful credential stuffing and dictionary attacks. Without rate limiting, an attacker can exhaustively attempt various username/password combinations, significantly increasing the likelihood of gaining unauthorized access. Successful exploitation could lead to the compromise of developer accounts, access to sensitive Unreal Engine projects, and potentially the exfiltration of intellectual property. The absence of any throttling mechanism means the attack can proceed at full network speed, making it particularly effective. This vulnerability shares similarities with other login-related vulnerabilities where inadequate rate limiting is present, allowing for brute-force and credential stuffing attempts.
CVE-2026-40586 was publicly disclosed on 2026-04-21. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The absence of throttling makes this vulnerability attractive to automated credential stuffing tools, and it is possible that it will be added to automated attack lists. The relatively low complexity of exploitation suggests a moderate risk of future exploitation.
Unreal Engine developers using blueprintUE Self-Hosted Edition, particularly those with weak password policies or who share hosting environments. Teams relying on blueprintUE for project management and collaboration are at increased risk, as a compromised account could grant access to sensitive project assets and intellectual property. Users with legacy configurations or those who have not regularly updated blueprintUE are also at higher risk.
• nodejs / server: Monitor blueprintUE server logs for a high volume of failed login attempts originating from a single IP address. Use journalctl -u blueprintue -f to monitor logs in real-time.
• generic web: Use curl -v <blueprintUEloginurl> to test login endpoint behavior and observe rate limiting (or lack thereof). Examine access logs for repeated failed login attempts from the same IP.
• generic web: Check response headers for any rate limiting indicators. A missing X-RateLimit-* header suggests no rate limiting is in place.
disclosure
Statut de l'Exploit
EPSS
0.06% (percentile 19%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-40586 is to immediately upgrade to blueprintUE Self-Hosted Edition version 4.2.0 or later, which includes the necessary login throttling mechanisms. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rate-limiting rules to restrict the number of login attempts from a single IP address within a given timeframe. Specifically, configure the WAF to limit requests to the login endpoint (/login or similar) to a reasonable number (e.g., 5-10 attempts per minute per IP). Monitor login logs for unusual activity, such as a high volume of failed login attempts originating from a single source. While not a complete solution, this can provide a temporary layer of protection.
Actualice a la versión 4.2.0 o superior para mitigar la vulnerabilidad. Esta versión implementa medidas de seguridad como el control de velocidad, el bloqueo de cuentas y la protección contra ataques de fuerza bruta en el punto final de inicio de sesión.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-40586 is a HIGH severity vulnerability in blueprintUE Self-Hosted Edition where the login form lacks throttling, allowing attackers to attempt unlimited login credentials.
Yes, if you are using blueprintUE Self-Hosted Edition versions 0.0.0 through 4.1.9, you are potentially affected by this vulnerability.
Upgrade to blueprintUE Self-Hosted Edition version 4.2.0 or later to implement login throttling and mitigate the risk.
Currently, there is no confirmed active exploitation of CVE-2026-40586, but the lack of throttling makes it a potential target for automated attacks.
Refer to the official blueprintUE security advisory for detailed information and updates: [https://blueprintue.com/security/advisories](https://blueprintue.com/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.