{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/blueprintue/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40588"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["blueprintUE"],"_cs_severities":["critical"],"_cs_tags":["blueprintUE","account-takeover","CVE-2026-40588","web-application"],"_cs_type":"advisory","_cs_vendors":["blueprintUE"],"content_html":"\u003cp\u003eblueprintUE, a tool for Unreal Engine developers, contains a critical vulnerability affecting versions prior to 4.2.0. The password change form at \u003ccode\u003e/profile/{slug}/edit/\u003c/code\u003e lacks a \u003ccode\u003ecurrent_password\u003c/code\u003e field and does not validate the user's existing password. This allows an attacker who has obtained a valid authenticated session to change the account password without knowing the original password. An attacker can obtain a valid session through various means, including XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or stealing the \u0026quot;remember me\u0026quot; cookie. The vulnerability, identified as CVE-2026-40588, enables immediate and permanent account takeover. Users of blueprintUE are urged to upgrade to version 4.2.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to a user's authenticated session. This could occur via XSS exploitation on the blueprintUE platform.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker performs session sidejacking over HTTP, intercepting the user's session cookie.\u003c/li\u003e\n\u003cli\u003eIn another scenario, the attacker gains physical access to a logged-in browser session on the user's machine.\u003c/li\u003e\n\u003cli\u003eThe attacker could also steal the user's \u0026quot;remember me\u0026quot; cookie, bypassing the need for active session hijacking.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the password change form at \u003ccode\u003e/profile/{slug}/edit/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a new password and confirms it in the form.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003ecurrent_password\u003c/code\u003e validation, the password change is accepted without verifying the user's existing password.\u003c/li\u003e\n\u003cli\u003eThe account password is changed, resulting in complete account takeover, and the legitimate user is locked out.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40588 leads to complete account takeover on the blueprintUE platform. An attacker can then access, modify, or delete sensitive data associated with the compromised account, potentially disrupting Unreal Engine development projects and accessing private assets. Given the nature of blueprintUE as a development tool, compromised accounts could be used to inject malicious code into Unreal Engine projects, leading to further compromise of end-user systems. While the exact number of potentially affected users is not specified, any blueprintUE user on a version prior to 4.2.0 is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all blueprintUE installations to version 4.2.0 or later to patch CVE-2026-40588.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unusual password change activity in web server logs, looking for requests to \u003ccode\u003e/profile/{slug}/edit/\u003c/code\u003e without a \u003ccode\u003ecurrent_password\u003c/code\u003e parameter (see example Sigma rule).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, implement temporary mitigations such as multi-factor authentication (MFA) and strong session management controls to make session hijacking and cookie theft more difficult.\u003c/li\u003e\n\u003cli\u003eReview web server logs for potential XSS attempts targeting blueprintUE users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-blueprintue-account-takeover/","summary":"blueprintUE versions prior to 4.2.0 are vulnerable to account takeover due to a missing current password validation on the password change form, allowing attackers with an authenticated session to change the password without knowing the original credential.","title":"blueprintUE Account Takeover Vulnerability (CVE-2026-40588)","url":"https://feed.craftedsignal.io/briefs/2024-01-26-blueprintue-account-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-40585"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["blueprintUE"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-40585","password-reset","blueprintUE"],"_cs_type":"advisory","_cs_vendors":["blueprintUE"],"content_html":"\u003cp\u003eblueprintUE, a tool used by Unreal Engine developers, contains a vulnerability in its password reset mechanism in versions prior to 4.2.0. When a user initiates a password reset, the application generates a 128-character cryptographically secure pseudo-random number generator (CSPRNG) token and stores it alongside a password_reset_at timestamp. The vulnerability, identified as CVE-2026-40585, stems from the \u003ccode\u003efindUserIDFromEmailAndToken()\u003c/code\u003e function, which only verifies the email address and reset token but fails to check the validity of the \u003ccode\u003epassword_reset_at\u003c/code\u003e timestamp. Consequently, a generated reset token remains valid indefinitely until it is either used for a password reset or overwritten by a subsequent password reset request. This issue is resolved in blueprintUE version 4.2.0. Defenders should prioritize identifying and upgrading vulnerable blueprintUE instances to version 4.2.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a user of a vulnerable blueprintUE instance.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a password reset for the target user's account. This generates a reset token and a timestamp which are stored by blueprintUE.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the password reset email sent to the target user. (This is an assumption as the source does not explicitly mention how the attacker obtains the token.)\u003c/li\u003e\n\u003cli\u003eThe target user, unaware of the attacker's actions, may also initiate a password reset, generating a new token and invalidating the first one (if it hadn't already been used).\u003c/li\u003e\n\u003cli\u003eThe attacker, possessing a valid (or previously valid) password reset token, crafts a malicious password reset request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efindUserIDFromEmailAndToken()\u003c/code\u003e function processes the request, validates the email and token against the stored values, but fails to check the \u003ccode\u003epassword_reset_at\u003c/code\u003e timestamp.\u003c/li\u003e\n\u003cli\u003eDue to the missing timestamp validation, the system incorrectly identifies the attacker as the legitimate owner of the account.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully resets the user's password and gains unauthorized access to their blueprintUE account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability, tracked as CVE-2026-40585, allows an attacker to gain unauthorized access to a blueprintUE user's account. The number of potential victims is dependent on the number of blueprintUE instances running versions prior to 4.2.0 and the number of active users on those instances. If successful, the attacker could potentially access and modify Unreal Engine projects, intellectual property, and other sensitive data associated with the compromised account. The impact could range from minor disruptions to significant financial losses, depending on the sensitivity and value of the accessed information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all blueprintUE instances to version 4.2.0 or later to remediate CVE-2026-40585.\u003c/li\u003e\n\u003cli\u003eImplement web server access logging to monitor for unusual password reset requests targeting specific accounts. Analyze webserver logs for POST requests to password reset endpoints (\u003ccode\u003ewebserver\u003c/code\u003e, \u003ccode\u003elinux\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect password reset requests originating from unusual or suspicious IP addresses (\u003ccode\u003enetwork_connection\u003c/code\u003e, \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-blueprintue-password-reset/","summary":"blueprintUE versions before 4.2.0 generate password reset tokens that remain valid indefinitely due to the absence of a timestamp validation, allowing attackers to potentially gain unauthorized access via token reuse.","title":"blueprintUE Password Reset Token Vulnerability (CVE-2026-40585)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-blueprintue-password-reset/"}],"language":"en","title":"CraftedSignal Threat Feed - BlueprintUE","version":"https://jsonfeed.org/version/1.1"}