Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair — it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.
Published: 2026-04-21
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized account access through indefinitely valid password reset tokens
Action: Apply Patch
AI Analysis

Impact

blueprintUE provides a 128‑character cryptographically secure token when a user requests a password reset. The token redemption function verifies only the email–token pair and ignores the timestamp that records when the token was created. The token therefore remains valid indefinitely until it is consumed or overwritten by a later reset request. An attacker who learns or otherwise obtains a valid token can reset the targeted account’s password at any time, effectively taking over that account and compromising its data and services. This flaw represents a credential compromise weakness identified as CWE‑640.

Affected Systems

The vulnerability exists in blueprintue self‑hosted editions prior to version 4.2.0. Any installation that has not applied the 4.2.0 update or later is affected.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker who obtains a reset token could use it at any time to reset the associated account because the token never expires. Attackers may acquire the token through social engineering, email interception, or other means. Because the window of exploitation is effectively unlimited, the risk is significant for any user with an active account. This vulnerability is considered high risk and should be addressed promptly.

Generated by OpenCVE AI on April 22, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade blueprintUE to version 4.2.0 or later to enforce token expiration logic.
  • If an upgrade is not immediately possible, invalidate all existing tokens by forcing users to re‑initiate password resets or by resetting account passwords manually.
  • Implement monitoring for unusual password reset activity and enforce strict access controls on token generation and consumption.

Generated by OpenCVE AI on April 22, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Blueprintue
Blueprintue blueprintue-self-hosted-edition
Vendors & Products Blueprintue
Blueprintue blueprintue-self-hosted-edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair — it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.
Title blueprintUE: Password Reset Tokens Have No Expiry Window
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Blueprintue Blueprintue-self-hosted-edition
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T17:48:47.758Z

Reserved: 2026-04-14T13:24:29.476Z

Link: CVE-2026-40585

cve-icon Vulnrichment

Updated: 2026-04-21T17:48:37.287Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:56.380

Modified: 2026-04-21T18:16:50.983

Link: CVE-2026-40585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:05Z

Weaknesses