CVE-2026-40586
Published: 21 April 2026
Summary
CVE-2026-40586 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-7 mandates thresholds for unsuccessful logon attempts, including lockouts and delays, directly preventing brute-force, dictionary, and credential stuffing attacks on the blueprintUE login form.
SC-14 requires protections like rate limiting and web application firewalls for publicly accessible systems, comprehensively mitigating unlimited authentication attempts at full network speed.
SI-2 requires timely identification, reporting, and correction of flaws, directly addressing the need to patch blueprintUE to version 4.2.0 where login throttling is implemented.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing rate limiting on the login form directly enables brute force attacks including password guessing, password spraying, and credential stuffing against user accounts.
NVD Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter,…
more
no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0.
Deeper analysisAI
CVE-2026-40586 is a vulnerability in the login form handler of blueprintUE, a self-hosted tool for Unreal Engine developers, affecting versions prior to 4.2.0. The handler lacks any form of throttling, including IP-based rate limiting, per-account attempt counters, temporary lockouts, progressive delays, or CAPTCHA challenges, allowing failed authentication attempts to be processed at full network speed. This improper restriction of excessive authentication attempts (CWE-307) has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact potential from network-based exploitation without privileges or user interaction.
Any unauthenticated attacker with network access to the blueprintUE instance can exploit this vulnerability by submitting an unlimited number of credential guesses. This enables brute-force attacks, dictionary attacks, credential stuffing using data from breached databases, or targeted guesses against users with predictable passwords, despite the enforced password policy requiring 10+ characters with mixed case, digits, and special characters. Successful exploitation could grant unauthorized access to the tool's administrative functions or user accounts.
The GitHub security advisory (GHSA-m6c2-6p3h-8jv2) for the blueprintue-self-hosted-edition repository confirms the issue and states that it is fixed in version 4.2.0. Security practitioners should upgrade to 4.2.0 or later and consider implementing additional server-side protections like web application firewalls with rate limiting rules as interim mitigations.
Details
- CWE(s)