Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID → session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely — even after the legitimate user has detected the intrusion and changed their password — until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Compromise Persistence
Action: Patch Now
AI Analysis

Impact

The flaw lies in the session management mechanism of blueprintUE. When a user changes their password or completes a reset through the web interface, the current session store continues to reference the existing session tokens. Consequently, any actor who has already hijacked a session remains fully authenticated until that session is naturally discarded, typically after 24 hours or when the browser is closed. This allows repeated unauthorized access to the user's account after the legitimate owner has taken remedial action, effectively turning temporary credential theft into persistent state. The weakness is classified as CWE-613, indicating that session invalidation is omitted after a password change.

Affected Systems

All installations of blueprintUE self-hosted edition older than version 4.2.0 are impacted; the vulnerability is fixed in 4.2.0.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity that could lead to persistent account compromise. EPSS is not reported, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote, requiring an attacker to possess a valid session cookie, which could be obtained through typical credential theft or other session hijacking techniques. Once a session is hijacked, the vulnerability allows it to remain active indefinitely, raising the risk of long-term unauthorized access. Even with session timeout policies, the window of exposure expands to the full GC lifetime or browser lifetime.

Generated by OpenCVE AI on April 21, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to blueprintUE version 4.2.0 or later, where active sessions are invalidated on password change or reset.
  • If an upgrade is not immediately possible, manually clear all user sessions from the session store to terminate compromised tokens.
  • Consider lowering the SESSION_GC_MAXLIFETIME parameter or configuring sessions to be terminated at password change via custom patch, ensuring future sessions do not persist beyond a reasonable timeframe.

Generated by OpenCVE AI on April 21, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Blueprintue
Blueprintue blueprintue-self-hosted-edition
Vendors & Products Blueprintue
Blueprintue blueprintue-self-hosted-edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID → session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely — even after the legitimate user has detected the intrusion and changed their password — until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0.
Title blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Blueprintue Blueprintue-self-hosted-edition
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:37:05.304Z

Reserved: 2026-04-14T13:24:29.476Z

Link: CVE-2026-40587

cve-icon Vulnrichment

Updated: 2026-04-21T19:59:29.703Z

cve-icon NVD

Status : Received

Published: 2026-04-21T18:16:51.073

Modified: 2026-04-21T21:16:42.510

Link: CVE-2026-40587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:02Z

Weaknesses