<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>BlueprintUE - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/blueprintue/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/blueprintue/feed.xml" rel="self" type="application/rss+xml"/><item><title>blueprintUE Account Takeover Vulnerability (CVE-2026-40588)</title><link>https://feed.craftedsignal.io/briefs/2024-01-26-blueprintue-account-takeover/</link><pubDate>Fri, 26 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-26-blueprintue-account-takeover/</guid><description>blueprintUE versions prior to 4.2.0 are vulnerable to account takeover due to a missing current password validation on the password change form, allowing attackers with an authenticated session to change the password without knowing the original credential.</description><content:encoded><![CDATA[<p>blueprintUE, a tool for Unreal Engine developers, contains a critical vulnerability affecting versions prior to 4.2.0. The password change form at <code>/profile/{slug}/edit/</code> lacks a <code>current_password</code> field and does not validate the user's existing password. This allows an attacker who has obtained a valid authenticated session to change the account password without knowing the original password. An attacker can obtain a valid session through various means, including XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or stealing the &quot;remember me&quot; cookie. The vulnerability, identified as CVE-2026-40588, enables immediate and permanent account takeover. Users of blueprintUE are urged to upgrade to version 4.2.0 or later to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains unauthorized access to a user's authenticated session. This could occur via XSS exploitation on the blueprintUE platform.</li>
<li>Alternatively, the attacker performs session sidejacking over HTTP, intercepting the user's session cookie.</li>
<li>In another scenario, the attacker gains physical access to a logged-in browser session on the user's machine.</li>
<li>The attacker could also steal the user's &quot;remember me&quot; cookie, bypassing the need for active session hijacking.</li>
<li>The attacker navigates to the password change form at <code>/profile/{slug}/edit/</code>.</li>
<li>The attacker enters a new password and confirms it in the form.</li>
<li>Due to the missing <code>current_password</code> validation, the password change is accepted without verifying the user's existing password.</li>
<li>The account password is changed, resulting in complete account takeover, and the legitimate user is locked out.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40588 leads to complete account takeover on the blueprintUE platform. An attacker can then access, modify, or delete sensitive data associated with the compromised account, potentially disrupting Unreal Engine development projects and accessing private assets. Given the nature of blueprintUE as a development tool, compromised accounts could be used to inject malicious code into Unreal Engine projects, leading to further compromise of end-user systems. While the exact number of potentially affected users is not specified, any blueprintUE user on a version prior to 4.2.0 is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all blueprintUE installations to version 4.2.0 or later to patch CVE-2026-40588.</li>
<li>Implement monitoring for unusual password change activity in web server logs, looking for requests to <code>/profile/{slug}/edit/</code> without a <code>current_password</code> parameter (see example Sigma rule).</li>
<li>If upgrading is not immediately possible, implement temporary mitigations such as multi-factor authentication (MFA) and strong session management controls to make session hijacking and cookie theft more difficult.</li>
<li>Review web server logs for potential XSS attempts targeting blueprintUE users.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>blueprintUE</category><category>account-takeover</category><category>CVE-2026-40588</category><category>web-application</category></item><item><title>blueprintUE Password Reset Token Vulnerability (CVE-2026-40585)</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-blueprintue-password-reset/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-blueprintue-password-reset/</guid><description>blueprintUE versions before 4.2.0 generate password reset tokens that remain valid indefinitely due to the absence of a timestamp validation, allowing attackers to potentially gain unauthorized access via token reuse.</description><content:encoded><![CDATA[<p>blueprintUE, a tool used by Unreal Engine developers, contains a vulnerability in its password reset mechanism in versions prior to 4.2.0. When a user initiates a password reset, the application generates a 128-character cryptographically secure pseudo-random number generator (CSPRNG) token and stores it alongside a password_reset_at timestamp. The vulnerability, identified as CVE-2026-40585, stems from the <code>findUserIDFromEmailAndToken()</code> function, which only verifies the email address and reset token but fails to check the validity of the <code>password_reset_at</code> timestamp. Consequently, a generated reset token remains valid indefinitely until it is either used for a password reset or overwritten by a subsequent password reset request. This issue is resolved in blueprintUE version 4.2.0. Defenders should prioritize identifying and upgrading vulnerable blueprintUE instances to version 4.2.0 or later.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a user of a vulnerable blueprintUE instance.</li>
<li>The attacker triggers a password reset for the target user's account. This generates a reset token and a timestamp which are stored by blueprintUE.</li>
<li>The attacker intercepts the password reset email sent to the target user. (This is an assumption as the source does not explicitly mention how the attacker obtains the token.)</li>
<li>The target user, unaware of the attacker's actions, may also initiate a password reset, generating a new token and invalidating the first one (if it hadn't already been used).</li>
<li>The attacker, possessing a valid (or previously valid) password reset token, crafts a malicious password reset request.</li>
<li>The <code>findUserIDFromEmailAndToken()</code> function processes the request, validates the email and token against the stored values, but fails to check the <code>password_reset_at</code> timestamp.</li>
<li>Due to the missing timestamp validation, the system incorrectly identifies the attacker as the legitimate owner of the account.</li>
<li>The attacker successfully resets the user's password and gains unauthorized access to their blueprintUE account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability, tracked as CVE-2026-40585, allows an attacker to gain unauthorized access to a blueprintUE user's account. The number of potential victims is dependent on the number of blueprintUE instances running versions prior to 4.2.0 and the number of active users on those instances. If successful, the attacker could potentially access and modify Unreal Engine projects, intellectual property, and other sensitive data associated with the compromised account. The impact could range from minor disruptions to significant financial losses, depending on the sensitivity and value of the accessed information.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all blueprintUE instances to version 4.2.0 or later to remediate CVE-2026-40585.</li>
<li>Implement web server access logging to monitor for unusual password reset requests targeting specific accounts. Analyze webserver logs for POST requests to password reset endpoints (<code>webserver</code>, <code>linux</code>).</li>
<li>Deploy the Sigma rule to detect password reset requests originating from unusual or suspicious IP addresses (<code>network_connection</code>, <code>windows</code>).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cve-2026-40585</category><category>password-reset</category><category>blueprintUE</category></item></channel></rss>