FWebRemoteControlModule::HandleBatchRequest crash when using bEnforcePassphraseForRemoteClients=False

anonymous-edc · March 18, 2026, 9:14pm

If you enable the RemoteControl plugin, disable the need for passphrases for clients to connect, then the engine will crash during a batch call trying to parse passphrases.

[Attachment Removed]

anonymous-edc · March 18, 2026, 9:14pm

Steps to Reproduce

Enable the RemoteControl plugin with Unreal and use the following ini settings:

[/Script/RemoteControlCommon.RemoteControlSettings]
 
bRestrictServerAccess=True
 
bAllowConsoleCommandRemoteExecution=True
 
AllowlistedClients=(LowerBound=(A=127,B=0,C=0,D=1),UpperBound=(A=127,B=0,C=0,D=1))
 
AllowedOrigin="http://localhost"
 
bEnforcePassphraseForRemoteClients=False
 
bIgnoreProtectedCheck=True
 
bIgnoreGetterSetterCheck=True

When run a remote batch curl call like so:

curl -s -X PUT http://127.0.0.1:30010/remote/batch \
  -H "Content-Type: application/json" \
  -d '{
    "Requests": [
      {
        "RequestId": 1,
        "URL": "/remote/object/property",
        "Verb": "PUT",
        "Body": {
          "ObjectPath": "/Script/Engine.Default__KismetMathLibrary",
          "PropertyName": "Class"
        }
      },
      {
        "RequestId": 2,
        "URL": "/remote/object/describe",
        "Verb": "PUT",
        "Body": {
          "ObjectPath": "/Script/Engine.Default__KismetSystemLibrary"
        }
      },
      {
        "RequestId": 3,
        "URL": "/remote/object/describe",
        "Verb": "PUT",
        "Body": {
          "ObjectPath": "/Script/Engine.Default__KismetMathLibrary"
        }
      }
    ]
  }'

The engine will crash on line 930 within FWebRemoteControlWebModule::HandleBatchRequest

BatchRequest.Passphrase = Request.Headers[WebRemoteControlInternalUtils::PassphraseHeader].Last();This is due to not enforcing passphrases for clients.

Suggested Fix:

Change this line:

BatchRequest.Passphrase = Request.Headers[WebRemoteControlInternalUtils::PassphraseHeader].Last();To this:

const TArray<FString>* PassphraseValues = Request.Headers.Find(WebRemoteControlInternalUtils::PassphraseHeader);
BatchRequest.Passphrase = PassphraseValues ? PassphraseValues->Last() : FString(TEXT(""));

[Attachment Removed]

anonymous-edc · March 20, 2026, 7:18pm

Hi Roby,

Thank you for reporting this issue and providing repro steps and a proposed fix (which looks good). I was able to reproduce this crash on all UE versions since 5.3 up to the latest source build.

In my tests, I also noticed that the crash is reproducible even with an empty “{}” request. Moreover, the Remote Control plugin just needs to be configured to not perform passphrase verification, which is the case, for example, with the default “bRestrictServerAccess=False” setting regardless of other settings.

I’ve filed an internal bug report for this issue. Here’s the tracking number: UE-370949. The link should become accessible once the devs mark it as public.

Let me know if there is anything else I can help you with on this matter.

Best regards,

Vitor

[Attachment Removed]