Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.
Published: 2026-04-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Permanent Account Takeover
Action: Immediate Patch
AI Analysis

Impact

A flaw in blueprintUE’s password change interface allows an authenticated user to change their password without providing the current password. Because the form does not verify the user’s existing credentials, once an attacker has an active session they can set a new password and gain full control of the account.

Affected Systems

All installations of the blueprintUE Self‑Hosted Edition running a version earlier than 4.2.0 are vulnerable. The patch that fixes the issue is included in release 4.2.0 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity. Although EPSS data is not available and the issue is not listed in CISA’s KEV catalog, the impact is permanent account takeover, which threatens confidentiality, integrity, and availability of the affected users. Exploitation requires an authenticated session, which an attacker can obtain through XSS exploitation, session side‑jacking over HTTP, physical access to a logged‑in browser, or a stolen “remember me” cookie. Once the attacker has such a session, changing the password is trivial and can be performed without any additional credentials.

Generated by OpenCVE AI on April 21, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade blueprintUE to version 4.2.0 or later, which restores current‑password verification during changes. 1
  • To protect against session hijacking until an upgrade is possible, enforce HTTPS everywhere, set cookies with Secure and HttpOnly attributes, and apply SameSite policies to prevent cross‑site leakage. 2
  • Implement user‑activity monitoring to detect and alert on unexpected password changes, and consider requiring re‑authentication for sensitive actions such as password updates. 3

Generated by OpenCVE AI on April 21, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Blueprintue
Blueprintue blueprintue-self-hosted-edition
Vendors & Products Blueprintue
Blueprintue blueprintue-self-hosted-edition

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.
Title blueprintUE: Authenticated Password Change Does Not Verify Current Password
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Blueprintue Blueprintue-self-hosted-edition
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:22:02.425Z

Reserved: 2026-04-14T13:24:29.476Z

Link: CVE-2026-40588

cve-icon Vulnrichment

Updated: 2026-04-22T13:21:42.539Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T18:16:51.207

Modified: 2026-04-22T21:16:27.863

Link: CVE-2026-40588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:01Z

Weaknesses