{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40585", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.476Z", "datePublished": "2026-04-21T17:09:17.982Z", "dateUpdated": "2026-04-21T17:48:47.758Z"}, "containers": {"cna": {"title": "blueprintUE: Password Reset Tokens Have No Expiry Window", "problemTypes": [{"descriptions": [{"cweId": "CWE-640", "lang": "en", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf"}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"version": "< 4.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:09:17.982Z"}, "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair \u2014 it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0."}], "source": {"advisory": "GHSA-qr65-6vp8-whjf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:48:43.347479Z", "id": "CVE-2026-40585", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:48:47.758Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40585", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T17:48:43.347479Z"}}}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:48:37.287Z"}}], "cna": {"title": "blueprintUE: Password Reset Tokens Have No Expiry Window", "source": {"advisory": "GHSA-qr65-6vp8-whjf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"status": "affected", "version": "< 4.2.0"}]}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf", "name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair \u2014 it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:09:17.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40585", "state": "PUBLISHED", "dateUpdated": "2026-04-21T17:48:47.758Z", "dateReserved": "2026-04-14T13:24:29.476Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T17:09:17.982Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption function findUserIDFromEmailAndToken() queries only for a matching email + password_reset token pair \u2014 it does not check whether the password_reset_at timestamp has elapsed any maximum window. A generated reset token is valid indefinitely until it is explicitly consumed or overwritten by a subsequent reset request. This vulnerability is fixed in 4.2.0."}], "id": "CVE-2026-40585", "lastModified": "2026-04-21T18:16:50.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:56.380", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-qr65-6vp8-whjf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:02:15.545197+00:00", "value": {"mitigation_remediation": ["Upgrade blueprintUE to version 4.2.0 or later to enforce token expiration logic.", "If an upgrade is not immediately possible, invalidate all existing tokens by forcing users to re\u2011initiate password resets or by resetting account passwords manually.", "Implement monitoring for unusual password reset activity and enforce strict access controls on token generation and consumption."], "summary": {"action": "Apply Patch", "impact": "Unauthorized account access through indefinitely valid password reset tokens"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in blueprintue self\u2011hosted editions prior to version 4.2.0. Any installation that has not applied the 4.2.0 update or later is affected.", "description_and_impact": "blueprintUE provides a 128\u2011character cryptographically secure token when a user requests a password reset. The token redemption function verifies only the email\u2013token pair and ignores the timestamp that records when the token was created. The token therefore remains valid indefinitely until it is consumed or overwritten by a later reset request. An attacker who learns or otherwise obtains a valid token can reset the targeted account\u2019s password at any time, effectively taking over that account and compromising its data and services. This flaw represents a credential compromise weakness identified as CWE\u2011640.", "risk_and_exploitability": "The CVSS score of 7.4 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker who obtains a reset token could use it at any time to reset the associated account because the token never expires. Attackers may acquire the token through social engineering, email interception, or other means. Because the window of exploitation is effectively unlimited, the risk is significant for any user with an active account. This vulnerability is considered high risk and should be addressed promptly."}}}}, "created": "2026-04-22T03:15:06.405428+00:00", "updated": "2026-04-22T03:15:06.405440+00:00", "vendors": []}