216.73.217.172

CVE-2026-40586

· Published 21/04/2026 17:16 · Modified 22/04/2026 21:16

Labels: CVE-2026-40586 2026-04-21CVE-2026-40586CWE-307[email protected]

Essential information

Published
21/04/2026 17:16
Modified
22/04/2026 21:16
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressive delay (Tarpit), and no CAPTCHA challenge. An attacker can submit an unlimited number of credential guesses. The password policy (10+ characters, mixed case, digit, special character) reduces the effective keyspace but does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against known users with predictable passwords. This vulnerability is fixed in 4.2.0.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
unreal engine / blueprintue cpe:2.3:a:unreal_engine:blueprintue:*:*:*:*:*:*:*:*
unreal engine / unreal engine cpe:2.3:a:unreal_engine:unreal_engine:<4.2.0:*:*:*:*:*:*:*

References