Indefinite Token Validity in blueprintUE Tool by BlueprintUE
CVE-2026-40585

7.4HIGH

Key Information:

Vendor: Blueprintue
Status: Blueprintue-self-hosted-edition
Vendor: CVE Published:; 21 April 2026

🔔 Create Blueprintue Vulnerability Alert

What is CVE-2026-40585?

In blueprintUE, a tool designed for Unreal Engine developers, there exists a vulnerability prior to version 4.2.0 related to password reset functionality. When a user initiates a password reset, a token generated via a cryptographically secure random number generator (CSPRNG) is created and is stored alongside a timestamp indicating the reset request's time. The vulnerability arises as the function responsible for redeeming this token does not enforce a maximum validity period, thereby allowing a generated reset token to remain valid indefinitely. It is only invalidated when explicitly used or replaced by a new reset request, potentially exposing users to security risks.

Affected Version(s)

blueprintue-self-hosted-edition < 4.2.0

References

https://github.com/blueprintue/blueprintue-self-hosted-ed...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40585 Data

JSON