top of page
perceptive_background_267k.jpg

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored…

Published:

20 april 2026 om 22:00:00

Alert date:

21 april 2026 om 18:10:28

Source:

nvd.nist.gov

Click to open the original link from this advisory

Identity & Access, Web Technologies

blueprintUE, a tool for Unreal Engine developers, contains a vulnerability in versions prior to 4.2.0 where password reset tokens remain valid indefinitely. The token redemption function findUserIDFromEmailAndToken() only checks for matching email and token pairs but fails to validate the password_reset_at timestamp against a maximum time window. Generated reset tokens persist until explicitly consumed or overwritten by subsequent reset requests. This creates a security risk where old reset tokens could potentially be exploited. The vulnerability has been addressed in version 4.2.0.

Technical details

Mitigation steps:

Affected products:

blueprintUE

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40585
https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page