{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40587", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.476Z", "datePublished": "2026-04-21T17:11:23.740Z", "dateUpdated": "2026-04-21T20:37:05.304Z"}, "containers": {"cna": {"title": "blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg"}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"version": "< 4.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:11:23.740Z"}, "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID \u2192 session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely \u2014 even after the legitimate user has detected the intrusion and changed their password \u2014 until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0."}], "source": {"advisory": "GHSA-gqpq-x62g-p4mg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:59:20.313580Z", "id": "CVE-2026-40587", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:05.304Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40587", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T19:59:20.313580Z"}}}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:59:29.703Z"}}], "cna": {"title": "blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset", "source": {"advisory": "GHSA-gqpq-x62g-p4mg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "blueprintue", "product": "blueprintue-self-hosted-edition", "versions": [{"status": "affected", "version": "< 4.2.0"}]}], "references": [{"url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg", "name": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID \u2192 session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely \u2014 even after the legitimate user has detected the intrusion and changed their password \u2014 until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:11:23.740Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40587", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:05.304Z", "dateReserved": "2026-04-14T13:24:29.476Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T17:11:23.740Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID \u2192 session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely \u2014 even after the legitimate user has detected the intrusion and changed their password \u2014 until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0."}], "id": "CVE-2026-40587", "lastModified": "2026-04-21T21:16:42.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T18:16:51.073", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/blueprintue/blueprintue-self-hosted-edition/security/advisories/GHSA-gqpq-x62g-p4mg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T22:32:58.280829+00:00", "value": {"mitigation_remediation": ["Upgrade to blueprintUE version 4.2.0 or later, where active sessions are invalidated on password change or reset.", "If an upgrade is not immediately possible, manually clear all user sessions from the session store to terminate compromised tokens.", "Consider lowering the SESSION_GC_MAXLIFETIME parameter or configuring sessions to be terminated at password change via custom patch, ensuring future sessions do not persist beyond a reasonable timeframe."], "summary": {"action": "Patch Now", "impact": "Account Compromise Persistence"}, "threat_synthesis": {"affected_systems": "All installations of blueprintUE self-hosted edition older than version 4.2.0 are impacted; the vulnerability is fixed in 4.2.0.", "description_and_impact": "The flaw lies in the session management mechanism of blueprintUE. When a user changes their password or completes a reset through the web interface, the current session store continues to reference the existing session tokens. Consequently, any actor who has already hijacked a session remains fully authenticated until that session is naturally discarded, typically after 24 hours or when the browser is closed. This allows repeated unauthorized access to the user's account after the legitimate owner has taken remedial action, effectively turning temporary credential theft into persistent state. The weakness is classified as CWE-613, indicating that session invalidation is omitted after a password change.", "risk_and_exploitability": "The CVSS score is 6.5, indicating a medium severity that could lead to persistent account compromise. EPSS is not reported, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote, requiring an attacker to possess a valid session cookie, which could be obtained through typical credential theft or other session hijacking techniques. Once a session is hijacked, the vulnerability allows it to remain active indefinitely, raising the risk of long-term unauthorized access. Even with session timeout policies, the window of exposure expands to the full GC lifetime or browser lifetime."}}}}, "created": "2026-04-21T22:45:16.048316+00:00", "updated": "2026-04-21T22:45:16.048333+00:00", "vendors": []}