CVE-2026-40587— blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40587
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset
Source: NVD (National Vulnerability Database)
Vulnerability Description
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store associates userID → session; the current password change/reset flow updates only the password column in the users table and does not destroy or mark invalid any active sessions. As a result, an attacker who has already compromised a session retains full access to the account indefinitely — even after the legitimate user has detected the intrusion and changed their password — until the session's natural expiry time (configured as SESSION_GC_MAXLIFETIME, defaulting to 86400 seconds / 24 hours, with SESSION_LIFETIME=0 meaning persistent until browser close or GC, whichever is later). This vulnerability is fixed in 4.2.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
blueprintUE self-hosted edition 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
blueprintUE self-hosted edition是blueprintUE开源的一个自托管的数据建模与可视化工具。 blueprintUE self-hosted edition 4.2.0之前版本存在安全漏洞,该漏洞源于当用户通过个人资料编辑页面更改密码或通过重置链接完成密码重置时,这些操作均不会使该用户的现有认证会话失效,可能导致已入侵会话的攻击者在合法用户检测到入侵并更改密码后,仍能保留对帐户的完全访问权限,直到会话自然到期。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| blueprintue | blueprintue-self-hosted-edition | < 4.2.0 | - |
II. Public POCs for CVE-2026-40587
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40587
请登录查看更多情报信息。
Same Patch Batch · blueprintue · 2026-04-21 · 4 CVEs total
| CVE-2026-40588 | 8.1 HIGH | blueprintUE: Authenticated Password Change Does Not Verify Current Password |
| CVE-2026-40586 | 7.5 HIGH | blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection |
| CVE-2026-40585 | 7.4 HIGH | blueprintUE: Password Reset Tokens Have No Expiry Window |
IV. Related Vulnerabilities
Same weakness: CWE-613
- CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41519
Weblate's API Token Not Invalidated on Password Change - CVE-2026-41891
CI4MS: Deactivated User Session Bypass (active=0) - CVE-2026-40934
jupyter-server authentication cookies remain valid after pas - CVE-2026-42421
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shar
V. Comments for CVE-2026-40587
No comments yet