Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Credential Guessing
Action: Patch
AI Analysis

Impact

The login endpoint of blueprintUE Self‑Hosted Edition does not enforce any throttling, lockout, or brute‑force protection. An attacker may submit an unlimited number of authentication requests at full network speed. Without rate limiting, per‑account counters, or CAPTCHA challenges, attackers can perform dictionary or credential‑stuffing attacks against known or guessed user accounts. This weakness, identified by CWE-307, can lead to unauthorized access, credential theft, and potentially full compromise of the application and underlying systems.

Affected Systems

All installations of blueprintUE Self‑Hosted Edition running any version earlier than 4.2.0 are affected. The vulnerability was fixed in version 4.2.0 and later releases have built‑in rate limiting and lockout mechanisms.

Risk and Exploitability

The CVSS score is 7.5, indicating a high impact with reasonable exploitation complexity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers need only to send repeated credential attempts against the login endpoint, which is accessible over the network, making it a likely target for automated brute‑force tools.

Generated by OpenCVE AI on April 21, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to blueprintUE Self‑Hosted Edition 4.2.0 or later to gain built‑in throttling and lockout features.
  • If an upgrade is not immediately possible, deploy network‑level rate limiting or IP‑based blocking on the login service to reduce the request rate.
  • Apply additional challenges such as CAPTCHA or multi‑factor authentication to the login form.

Generated by OpenCVE AI on April 21, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Blueprintue
Blueprintue blueprintue-self-hosted-edition
Vendors & Products Blueprintue
Blueprintue blueprintue-self-hosted-edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0.
Title blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Blueprintue Blueprintue-self-hosted-edition
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:04:41.220Z

Reserved: 2026-04-14T13:24:29.476Z

Link: CVE-2026-40586

cve-icon Vulnrichment

Updated: 2026-04-21T19:04:35.536Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:56.523

Modified: 2026-04-21T20:16:59.757

Link: CVE-2026-40586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:04Z

Weaknesses