CVE-2026-40585
Published: 21 April 2026
Summary
CVE-2026-40585 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires managing authenticators by changing or refreshing them periodically, directly preventing indefinite validity of password reset tokens by enforcing expiration windows.
SI-2 mandates identifying, reporting, testing, and correcting flaws like the missing timestamp validation in the token redemption function through timely patching to version 4.2.0.
AC-2 requires procedures for account management including disabling inactive or unnecessary access mechanisms, which applies to revoking or expiring unused password reset tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a logic flaw in the password reset function of a public-facing web application (blueprintUE), directly enabling network-based exploitation for unauthorized account access via non-expiring tokens.
NVD Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a…
more
matching email + password_reset token pair — it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.
Deeper analysisAI
CVE-2026-40585 affects blueprintUE, a self-hosted tool for Unreal Engine developers, in versions prior to 4.2.0. The vulnerability lies in the password reset mechanism, where a 128-character cryptographically secure pseudorandom number generator (CSPRNG) token is generated and stored with a password_reset_at timestamp upon reset initiation. However, the token redemption function, findUserIDFromEmailAndToken(), only verifies a matching email and token pair without checking if the timestamp has exceeded any expiration window. As a result, reset tokens remain valid indefinitely until consumed or overwritten by a new reset request. This issue, classified under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password), carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-04-21.
An attacker with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. Exploitation typically involves obtaining a victim's reset token—such as through phishing to trigger a reset and capture the token from email or other delivery methods—followed by redeeming it at any time with the victim's email address. Successful redemption allows the attacker to reset the victim's password, achieving high-impact confidentiality and integrity violations, such as unauthorized account access and potential control over the victim's blueprintUE instance.
The GitHub security advisory for blueprintUE-self-hosted-edition (GHSA-qr65-6vp8-whjf) confirms the issue is fixed in version 4.2.0, recommending immediate upgrades to mitigate the vulnerability. No additional workarounds are specified in available references.
Details
- CWE(s)