CVE-2026-40585
Insecure Password Reset Token Validation in blueprintUE Before
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blueprintue | blueprintue | 4.2.0 |
| blueprintue | blueprintue-self-hosted-edition | to 4.2.0 (exc) |
| blueprintue | blueprintue-self-hosted-edition | to 4.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40585 is a vulnerability in the password reset mechanism of blueprintUE, a tool for Unreal Engine developers. Before version 4.2.0, when a password reset was requested, a 128-character cryptographically secure token was generated and stored with a timestamp. However, the function that redeems this token only checked if the email and token matched, without verifying if the token had expired.
This means that password reset tokens remain valid indefinitely until they are used or replaced by a new reset request. An attacker who obtains a valid token can reset the password at any time, even long after the token was issued.
How can this vulnerability impact me? :
This vulnerability allows attackers who have obtained a password reset token to reset user passwords indefinitely, compromising account security. The token does not expire, so if an attacker gains access to the token through means such as email server compromise, shared inboxes, browser history leaks, or network interception, they can reset the password at any time.
- Attackers can gain unauthorized access to user accounts.
- Confidentiality and integrity of user accounts are compromised.
- Users cannot revoke outstanding tokens unless they perform another reset or login.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining the password reset token redemption process in the blueprintue-self-hosted-edition application. Specifically, you should verify whether the SQL query used to validate password reset tokens includes a check for token expiration based on the password_reset_at timestamp.
A key indicator of the vulnerability is if the query looks like this, without any expiration check:
- SELECT id FROM users WHERE email = :email AND password_reset = :token;
Instead, a secure query should enforce a token lifetime, for example:
- SELECT id FROM users WHERE email = :email AND password_reset = :token AND password_reset_at >= (UTC_TIMESTAMP() - INTERVAL 1 HOUR);
To detect if tokens are being accepted indefinitely, you can monitor password reset requests and token usage timestamps in your database to see if tokens older than the intended expiration window are still valid.
Commands to help detect this might include running SQL queries against your user database to check for tokens and their timestamps, for example:
- SELECT email, password_reset, password_reset_at FROM users WHERE password_reset IS NOT NULL ORDER BY password_reset_at DESC;
You can also review application source code files such as `app/models/UserModel.php` for the token redemption function and `app/services/www/UserService.php` for the token generation process to confirm whether token expiration is enforced.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade blueprintue-self-hosted-edition to version 4.2.0 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, you should modify the token redemption logic to enforce a maximum token lifetime by adding a condition to the SQL query that checks the password_reset_at timestamp, for example:
- SELECT id FROM users WHERE email = :email AND password_reset = :token AND password_reset_at >= (UTC_TIMESTAMP() - INTERVAL 1 HOUR);
Additional recommended steps include:
- Display the token expiry window in password reset emails to inform users.
- Implement automated cleanup of stale tokens using scheduled jobs or cron tasks.
Also, review your email security and network configurations to reduce the risk of token interception or compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows password reset tokens to remain valid indefinitely, which can lead to unauthorized access to user accounts if tokens are compromised. Such unauthorized access can result in breaches of confidentiality and integrity of user data.
From a compliance perspective, this flaw could negatively impact adherence to standards and regulations like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data. The indefinite validity of reset tokens increases the risk of data breaches, potentially leading to violations of data protection requirements.
Therefore, until patched, this vulnerability poses a risk to maintaining compliance with these regulations by failing to adequately secure password reset mechanisms and protect user data confidentiality.