{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40588", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.476Z", "datePublished": "2026-04-21T17:12:08.938Z", "dateUpdated": "2026-04-22T13:22:02.425Z"}, "containers": {"cna": {"title": "blueprintUE: Authenticated Password Change Does Not Verify Current Password", "problemTypes": [{"descriptions": [{"cweId": "CWE-620", "lang": "en", "description": "CWE-620: Unverified Password Change", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x"}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"version": "< 4.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:12:08.938Z"}, "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session \u2014 through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen \"remember me\" cookie \u2014 can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0."}], "source": {"advisory": "GHSA-73f2-p9jr-m44x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:20:53.842931Z", "id": "CVE-2026-40588", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:22:02.425Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40588", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.476Z", "datePublished": "2026-04-21T17:12:08.938Z", "dateUpdated": "2026-04-22T13:22:02.425Z"}, "containers": {"cna": {"title": "blueprintUE: Authenticated Password Change Does Not Verify Current Password", "problemTypes": [{"descriptions": [{"cweId": "CWE-620", "lang": "en", "description": "CWE-620: Unverified Password Change", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x"}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"version": "< 4.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:12:08.938Z"}, "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session \u2014 through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen \"remember me\" cookie \u2014 can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0."}], "source": {"advisory": "GHSA-73f2-p9jr-m44x", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40588", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:20:53.842931Z"}}}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:21:42.539Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session \u2014 through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen \"remember me\" cookie \u2014 can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0."}], "id": "CVE-2026-40588", "lastModified": "2026-04-22T21:16:27.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T18:16:51.207", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-620"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "blueprintue-self-hosted-edition", "source": "cna", "vendor": "blueprintue"}, "product": "blueprintue-self-hosted-edition", "vendor": "blueprintue"}], "analysis": {"en": {"generated_at": "2026-04-21T22:32:27.219187+00:00", "value": {"mitigation_remediation": ["Upgrade blueprintUE to version 4.2.0 or later, which restores current\u2011password verification during changes. 1", "To protect against session hijacking until an upgrade is possible, enforce HTTPS everywhere, set cookies with Secure and HttpOnly attributes, and apply SameSite policies to prevent cross\u2011site leakage. 2", "Implement user\u2011activity monitoring to detect and alert on unexpected password changes, and consider requiring re\u2011authentication for sensitive actions such as password updates. 3"], "summary": {"action": "Immediate Patch", "impact": "Permanent Account Takeover"}, "threat_synthesis": {"affected_systems": "All installations of the blueprintUE Self\u2011Hosted Edition running a version earlier than 4.2.0 are vulnerable. The patch that fixes the issue is included in release 4.2.0 and later.", "description_and_impact": "A flaw in blueprintUE\u2019s password change interface allows an authenticated user to change their password without providing the current password. Because the form does not verify the user\u2019s existing credentials, once an attacker has an active session they can set a new password and gain full control of the account.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.1, indicating high severity. Although EPSS data is not available and the issue is not listed in CISA\u2019s KEV catalog, the impact is permanent account takeover, which threatens confidentiality, integrity, and availability of the affected users. Exploitation requires an authenticated session, which an attacker can obtain through XSS exploitation, session side\u2011jacking over HTTP, physical access to a logged\u2011in browser, or a stolen \u201cremember me\u201d cookie. Once the attacker has such a session, changing the password is trivial and can be performed without any additional credentials."}}}}, "created": "2026-04-21T22:45:16.047919+00:00", "updated": "2026-04-22T11:46:01.704721+00:00", "vendors": ["blueprintue", "blueprintue$PRODUCT$blueprintue-self-hosted-edition"]}