Platform
nodejs
Component
blueprintue-self-hosted-edition
Opgelost in
4.2.1
CVE-2026-40585 is a security vulnerability affecting blueprintUE Self-Hosted Edition. This flaw allows an attacker to potentially gain unauthorized access to user accounts by exploiting an issue in the password reset process. The vulnerability impacts versions 0.0.0 through 4.1.9 and is resolved in version 4.2.0.
The vulnerability lies in the password reset token redemption process within blueprintUE. Specifically, the findUserIDFromEmailAndToken() function does not validate the passwordresetat timestamp when redeeming a reset token. This means an attacker who obtains a valid reset token can use it at any time, even long after it was initially generated, effectively bypassing the intended time-based security measure. Successful exploitation could lead to an attacker gaining full control over a user's account, including access to sensitive data and the ability to perform actions on their behalf. The blast radius is limited to the accounts accessible within the blueprintUE system.
This vulnerability was publicly disclosed on 2026-04-21. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it likely that a PoC will be developed. The CVSS score of 7.4 (High) indicates a significant potential impact.
Unreal Engine developers and teams using blueprintUE Self-Hosted Edition, particularly those with legacy configurations or those who haven't implemented robust password policies, are at risk. Shared hosting environments where multiple users share the same blueprintUE instance are also at increased risk.
• nodejs: Monitor blueprintUE logs for unusual password reset activity, specifically requests with very old passwordresetat timestamps.
grep 'password_reset_at' blueprintue.log | sort -n | tail -10• generic web: Check blueprintUE access logs for repeated failed password reset attempts from the same IP address, potentially indicating an attacker attempting to brute-force token redemption.
disclosure
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-40585 is to upgrade blueprintUE Self-Hosted Edition to version 4.2.0 or later, which includes the fix. If an immediate upgrade is not possible, consider implementing a temporary workaround by adding a timestamp validation check to the findUserIDFromEmailAndToken() function. This would involve verifying that the passwordresetat timestamp is within a reasonable timeframe before allowing token redemption. Additionally, review and audit all password reset functionalities to ensure robust timestamp validation and token expiration policies are in place. After upgrade, confirm by attempting a password reset and verifying the token's expiration.
Actualice a la versión 4.2.0 o superior para mitigar la vulnerabilidad. Esta versión implementa una verificación de tiempo de expiración para los tokens de restablecimiento de contraseña, evitando que sean válidos indefinidamente.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-40585 is a HIGH severity vulnerability in blueprintUE Self-Hosted Edition where password reset tokens are valid indefinitely, allowing unauthorized account access.
Yes, if you are using blueprintUE Self-Hosted Edition versions 0.0.0 through 4.1.9, you are affected by this vulnerability.
Upgrade to blueprintUE Self-Hosted Edition version 4.2.0 or later to resolve the vulnerability. A temporary workaround involves adding timestamp validation to the token redemption function.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it may be targeted in the future.
Refer to the blueprintUE project's official communication channels and release notes for the advisory regarding CVE-2026-40585.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.