CVE-2026-40587

Name of the Vulnerable Software and Affected Versions blueprintUE versions prior to 4.2.0

Description Changing a password through the profile edit page or completing a password reset via a reset link does not invalidate existing authenticated sessions. The server-side session store associates userID with a session, but the password update process only modifies the password column in the users table without destroying active sessions. Consequently, an attacker with a compromised session maintains account access until the session expires naturally, based on the SESSION GC MAXLIFETIME (defaulting to 86400 seconds) or SESSION LIFETIME configurations.

Recommendations Update to version 4.2.0.