CVE-2026-40588
Published: 21 April 2026
Summary
CVE-2026-40588 is a high-severity Unverified Password Change (CWE-620) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Re-authentication requires verification of current credentials prior to sensitive actions like password changes, directly preventing account takeover by attackers with stolen sessions.
Flaw remediation mandates identifying, prioritizing, and applying patches for vulnerabilities like the missing current password verification in the password change form.
Authenticator management establishes secure procedures for password changes that include verifying the existing authenticator, mitigating unauthorized modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows an authenticated attacker to change an account's password without verifying the current password, directly enabling unauthorized account manipulation and permanent takeover.
NVD Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who…
more
obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.
Deeper analysisAI
CVE-2026-40588 is a vulnerability in blueprintUE, a self-hosted tool designed to assist Unreal Engine developers, affecting versions prior to 4.2.0. The issue resides in the password change form at the /profile/{slug}/edit/ endpoint, which lacks a current_password field and fails to verify the user's existing password before accepting a new one. Classified under CWE-620 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), it enables unauthorized password modifications by authenticated users.
An attacker who gains a valid authenticated session—via methods such as XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or theft of a "remember me" cookie—can immediately change the target account's password without knowledge of the original credentials. This results in permanent account takeover, granting full control over the victim's blueprintUE account.
The vulnerability is addressed in blueprintUE version 4.2.0. Additional mitigation details are available in the GitHub security advisory at https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x.
Details
- CWE(s)