{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40586", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.476Z", "datePublished": "2026-04-21T17:10:05.432Z", "dateUpdated": "2026-04-21T19:04:41.220Z"}, "containers": {"cna": {"title": "blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2"}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"version": "< 4.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:10:05.432Z"}, "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0."}], "source": {"advisory": "GHSA-m6c2-6p3h-8jv2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:04:12.732330Z", "id": "CVE-2026-40586", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:04:41.220Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40586", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:04:12.732330Z"}}}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:04:35.536Z"}}], "cna": {"title": "blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection", "source": {"advisory": "GHSA-m6c2-6p3h-8jv2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"status": "affected", "version": "< 4.2.0"}]}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2", "name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:10:05.432Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40586", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:04:41.220Z", "dateReserved": "2026-04-14T13:24:29.476Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T17:10:05.432Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0."}], "id": "CVE-2026-40586", "lastModified": "2026-04-22T21:16:27.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:56.523", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-m6c2-6p3h-8jv2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "blueprintue-self-hosted-edition", "source": "cna", "vendor": "blueprintue"}, "product": "blueprintue-self-hosted-edition", "vendor": "blueprintue"}], "analysis": {"en": {"generated_at": "2026-04-21T22:33:16.318024+00:00", "value": {"mitigation_remediation": ["Upgrade to blueprintUE Self\u2011Hosted Edition 4.2.0 or later to gain built\u2011in throttling and lockout features.", "If an upgrade is not immediately possible, deploy network\u2011level rate limiting or IP\u2011based blocking on the login service to reduce the request rate.", "Apply additional challenges such as CAPTCHA or multi\u2011factor authentication to the login form."], "summary": {"action": "Patch", "impact": "Unrestricted Credential Guessing"}, "threat_synthesis": {"affected_systems": "All installations of blueprintUE Self\u2011Hosted Edition running any version earlier than 4.2.0 are affected. The vulnerability was fixed in version 4.2.0 and later releases have built\u2011in rate limiting and lockout mechanisms.", "description_and_impact": "The login endpoint of blueprintUE Self\u2011Hosted Edition does not enforce any throttling, lockout, or brute\u2011force protection. An attacker may submit an unlimited number of authentication requests at full network speed. Without rate limiting, per\u2011account counters, or CAPTCHA challenges, attackers can perform dictionary or credential\u2011stuffing attacks against known or guessed user accounts. This weakness, identified by CWE-307, can lead to unauthorized access, credential theft, and potentially full compromise of the application and underlying systems.", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high impact with reasonable exploitation complexity. No EPSS data is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers need only to send repeated credential attempts against the login endpoint, which is accessible over the network, making it a likely target for automated brute\u2011force tools."}}}}, "created": "2026-04-21T22:45:16.048585+00:00", "updated": "2026-04-22T11:46:04.043437+00:00", "vendors": ["blueprintue", "blueprintue$PRODUCT$blueprintue-self-hosted-edition"]}