Account Takeover Risk in BlueprintUE Tool for Unreal Engine Developers
CVE-2026-40588

8.1HIGH

Key Information:

Vendor: Blueprintue
Status: Blueprintue-self-hosted-edition
Vendor: CVE Published:; 21 April 2026

🔔 Create Blueprintue Vulnerability Alert

What is CVE-2026-40588?

BlueprintUE, a tool designed for Unreal Engine developers, contains a significant vulnerability in its password change functionality prior to version 4.2.0. The absence of a 'current_password' field allows malicious actors, who have already gained unauthorized access through methods like XSS, session hijacking, or physical access, to change the user's password without requiring the original password. This flaw can lead to irreversible account takeovers, posing serious security risks to developers relying on this tool. Users are urged to upgrade to version 4.2.0 or later to mitigate this vulnerability.

Affected Version(s)

blueprintue-self-hosted-edition < 4.2.0

References

https://github.com/blueprintue/blueprintue-self-hosted-ed...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40588 Data

JSON