CVE-2026-40585
Received Received - Intake
Insecure Password Reset Token Validation in blueprintUE Before

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair β€” it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40585
EUVD
EUVD-2026-24181
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
blueprintue blueprintue 4.2.0
blueprintue blueprintue-self-hosted-edition to 4.2.0 (exc)
blueprintue blueprintue-self-hosted-edition to 4.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows password reset tokens to remain valid indefinitely, which can lead to unauthorized access to user accounts if tokens are compromised. Such unauthorized access can result in breaches of confidentiality and integrity of user data.

From a compliance perspective, this flaw could negatively impact adherence to standards and regulations like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data. The indefinite validity of reset tokens increases the risk of data breaches, potentially leading to violations of data protection requirements.

Therefore, until patched, this vulnerability poses a risk to maintaining compliance with these regulations by failing to adequately secure password reset mechanisms and protect user data confidentiality.

Executive Summary

CVE-2026-40585 is a vulnerability in the password reset mechanism of blueprintUE, a tool for Unreal Engine developers. Before version 4.2.0, when a password reset was requested, a 128-character cryptographically secure token was generated and stored with a timestamp. However, the function that redeems this token only checked if the email and token matched, without verifying if the token had expired.

This means that password reset tokens remain valid indefinitely until they are used or replaced by a new reset request. An attacker who obtains a valid token can reset the password at any time, even long after the token was issued.

Impact Analysis

This vulnerability allows attackers who have obtained a password reset token to reset user passwords indefinitely, compromising account security. The token does not expire, so if an attacker gains access to the token through means such as email server compromise, shared inboxes, browser history leaks, or network interception, they can reset the password at any time.

  • Attackers can gain unauthorized access to user accounts.
  • Confidentiality and integrity of user accounts are compromised.
  • Users cannot revoke outstanding tokens unless they perform another reset or login.
Detection Guidance

This vulnerability can be detected by examining the password reset token redemption process in the blueprintue-self-hosted-edition application. Specifically, you should verify whether the SQL query used to validate password reset tokens includes a check for token expiration based on the password_reset_at timestamp.

A key indicator of the vulnerability is if the query looks like this, without any expiration check:

  • SELECT id FROM users WHERE email = :email AND password_reset = :token;

Instead, a secure query should enforce a token lifetime, for example:

  • SELECT id FROM users WHERE email = :email AND password_reset = :token AND password_reset_at >= (UTC_TIMESTAMP() - INTERVAL 1 HOUR);

To detect if tokens are being accepted indefinitely, you can monitor password reset requests and token usage timestamps in your database to see if tokens older than the intended expiration window are still valid.

Commands to help detect this might include running SQL queries against your user database to check for tokens and their timestamps, for example:

  • SELECT email, password_reset, password_reset_at FROM users WHERE password_reset IS NOT NULL ORDER BY password_reset_at DESC;

You can also review application source code files such as `app/models/UserModel.php` for the token redemption function and `app/services/www/UserService.php` for the token generation process to confirm whether token expiration is enforced.

Mitigation Strategies

The immediate mitigation step is to upgrade blueprintue-self-hosted-edition to version 4.2.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, you should modify the token redemption logic to enforce a maximum token lifetime by adding a condition to the SQL query that checks the password_reset_at timestamp, for example:

  • SELECT id FROM users WHERE email = :email AND password_reset = :token AND password_reset_at >= (UTC_TIMESTAMP() - INTERVAL 1 HOUR);

Additional recommended steps include:

  • Display the token expiry window in password reset emails to inform users.
  • Implement automated cleanup of stale tokens using scheduled jobs or cron tasks.

Also, review your email security and network configurations to reduce the risk of token interception or compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40585. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart