CVE-2026-40587
Received Received - Intake
Session Fixation in blueprintUE Allows Persistent Account Access

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID β†’ session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely β€” even after the legitimate user has detected the intrusion and changed their password β€” until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40587
EUVD
EUVD-2026-24203
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
blueprintue blueprintue 4.2.0
blueprintue blueprintue-self-hosted-edition 4.2.0
blueprintue blueprintue-self-hosted-edition to 4.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40587 is a vulnerability in blueprintUE versions up to 4.1.2 where active user sessions are not invalidated after a password change or reset.

When a user changes or resets their password, the system updates the password in the database but does not destroy or mark invalid any active authenticated sessions associated with that user.

As a result, an attacker who has already compromised a session (for example, by stealing a session cookie) retains full access to the account indefinitely until the session naturally expires, even after the legitimate user changes their password.

This happens because the session management system does not clear sessions upon password changes, relying instead on session expiration settings which can allow persistent unauthorized access.

Impact Analysis

If an attacker has compromised a user's session, they can maintain persistent unauthorized access to that user's account even after the user changes or resets their password.

This means the attacker can continue to access sensitive information and perform actions on behalf of the user without interruption until the session expires, which by default can be up to 24 hours or longer if the session is persistent.

The vulnerability increases the risk of prolonged account compromise, data theft, and unauthorized actions, as password changes do not effectively block attackers who already hold valid session credentials.

Detection Guidance

This vulnerability can be detected by verifying whether active user sessions are invalidated after a password change or reset. Specifically, you can check if sessions associated with a user remain valid even after the user updates their password.

One way to detect this is to monitor session persistence after password changes by performing the following steps:

  • Log in as a user and capture the session cookie.
  • Change the user's password via the profile edit page or password reset.
  • Attempt to use the old session cookie to access the account.

If the session remains valid after the password change, the vulnerability exists.

For command-line detection, if sessions are stored in a database, you can query the sessions table to check if sessions for a user still exist after a password update. For example, using SQL:

  • SELECT * FROM sessions WHERE id_user = [userID];

If sessions remain after a password change, it indicates the vulnerability.

Mitigation Strategies

To mitigate this vulnerability immediately, you should ensure that all active sessions for a user are invalidated immediately after a password change or reset.

Recommended steps include:

  • Implement a method to delete all sessions associated with a user from the session store or database.
  • Modify the password change and reset functions to call this session invalidation method right after updating the password.
  • Regenerate the session for the legitimate user after password update to prevent session fixation.

If you are using PHP's default file-based sessions, consider switching to a database-backed session driver that supports user-session mapping to enable session invalidation.

Until the fix is applied, monitor and manually invalidate sessions if possible, and inform users to log out from all devices after password changes.

Compliance Impact

This vulnerability allows an attacker who has compromised a user session to maintain persistent unauthorized access to that user's account even after the user changes their password. This persistent access can lead to unauthorized disclosure and modification of sensitive personal or protected health information.

Such unauthorized access and failure to properly invalidate sessions after password changes can violate common security requirements found in standards and regulations like GDPR and HIPAA, which mandate protecting user data confidentiality and ensuring proper access controls.

Specifically, the vulnerability undermines session management controls that are critical for compliance with these regulations, potentially leading to data breaches and non-compliance penalties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart