CVE-2026-40588 HIGH

CVE-2026-40588: blueprintUE: Authenticated Password Change Does Not Verify Current Password

Vendor Blueprintue
Product blueprintue-self-hosted-edition
Weakness CWE-620 · Unverified password change
Published April 21, 2026
Last update April 22, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated