Cyber Resilience

CVE-2026-40588

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0022 11.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40588 is a high-severity Unverified Password Change (CWE-620) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40588 is a vulnerability in blueprintUE, a self-hosted tool designed to assist Unreal Engine developers, affecting versions prior to 4.2.0. The issue resides in the password change form at the /profile/{slug}/edit/ endpoint, which lacks a current_password field and fails to verify the user's existing password before accepting a new one. Classified under CWE-620 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), it enables unauthorized password modifications by authenticated users.

An attacker who gains a valid authenticated session—via methods such as XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or theft of a "remember me" cookie—can immediately change the target account's password without knowledge of the original credentials. This results in permanent account takeover, granting full control over the victim's blueprintUE account.

The vulnerability is addressed in blueprintUE version 4.2.0. Additional mitigation details are available in the GitHub security advisory at https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who…

more

obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

The vulnerability allows an authenticated attacker to change an account's password without verifying the current password, directly enabling unauthorized account manipulation and permanent takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24443Shared CWE-620
CVE-2024-9431Shared CWE-620
CVE-2026-24440Shared CWE-620
CVE-2026-27757Shared CWE-620
CVE-2025-1107Shared CWE-620
CVE-2026-42084Shared CWE-620
CVE-2024-45647Shared CWE-620
CVE-2024-13375Shared CWE-620
CVE-2024-12860Shared CWE-620
CVE-2026-30458Shared CWE-620

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Re-authentication requires verification of current credentials prior to sensitive actions like password changes, directly preventing account takeover by attackers with stolen sessions.

prevent

Flaw remediation mandates identifying, prioritizing, and applying patches for vulnerabilities like the missing current password verification in the password change form.

prevent

Authenticator management establishes secure procedures for password changes that include verifying the existing authenticator, mitigating unauthorized modifications.

References