CVE-2026-40586
Received Received - Intake
Authentication Bypass via Unrestricted Login Attempts in blueprintUE

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-05-27
AI Q&A
2026-04-21
EPSS Evaluated
2026-05-25
NVD
CVE-2026-40586
EUVD
EUVD-2026-24182
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
blueprintue blueprintue-self-hosted-edition to 4.2.0 (exc)
blueprintue blueprintue-self-hosted-edition 4.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-40586 is a vulnerability in blueprintUE's self-hosted edition prior to version 4.2.0, where the login form handler lacks any throttling or brute-force protection mechanisms.

Specifically, the login endpoint does not implement IP-based rate limiting, per-account failed attempt counters, temporary lockouts, progressive delays (tarpitting), or CAPTCHA challenges.

This means an attacker can submit an unlimited number of login attempts at full network speed, enabling credential stuffing, dictionary attacks, or targeted brute-force attacks without restriction.

Although the password policy requires complex passwords, it does not prevent attacks using breached credentials or predictable passwords.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows attackers to perform unlimited credential guessing attacks without any throttling or lockout mechanisms, which can lead to unauthorized access to user accounts.

Such unauthorized access risks breaches of data confidentiality, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data.

The lack of brute-force protections and rate limiting increases the likelihood of credential stuffing and targeted attacks, potentially exposing regulated data and violating requirements for access controls and breach prevention.


How can this vulnerability impact me? :

This vulnerability allows attackers to perform high-volume brute-force attacks on user accounts without any detection or mitigation.

An attacker can test hundreds of thousands of password guesses per hour per account, increasing the risk of unauthorized access.

Successful exploitation can lead to compromise of user accounts and unauthorized access to sensitive data, resulting in confidentiality breaches.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusually high volumes of failed login attempts to the affected endpoints, such as POST requests to the login endpoint (/), password reset (/reset-password/), and user registration (/register/). Since there is no rate limiting or lockout, an attacker can send rapid sequential login attempts.

One way to detect this is by analyzing web server logs for a high rate of POST requests with failed authentication responses, especially if these requests come from the same IP address or target the same user accounts.

Suggested commands to detect such activity include using tools like grep and awk on server logs to identify repeated failed login attempts, for example:

  • grep 'POST / ' access.log | grep 'failed' | awk '{print $1}' | sort | uniq -c | sort -nr
  • grep 'POST /reset-password/' access.log | awk '{print $1}' | sort | uniq -c | sort -nr
  • grep 'POST /register/' access.log | awk '{print $1}' | sort | uniq -c | sort -nr

These commands count the number of POST requests per IP address to the critical endpoints, helping identify IPs with excessive requests that may indicate brute-force attempts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing rate limiting and brute-force protections on the affected authentication endpoints.

  • Configure server or proxy (e.g., nginx or Apache) to limit the number of requests to login-related endpoints using rate limiting directives such as nginx's limit_req_zone.
  • Implement application-layer middleware to track failed login attempts per IP address using fast storage solutions like Redis, APCu, or a database, and return HTTP 429 responses when thresholds are exceeded.
  • Add per-account lockout policies, for example locking an account for 15 minutes after 5 failed login attempts.
  • Introduce CAPTCHA challenges after multiple consecutive failed login attempts from the same IP address.

Upgrading to blueprintue version 4.2.0 or later, where this vulnerability is fixed, is strongly recommended.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart