CVE-2026-54103

CRITICAL

U.S. GAO EPDS and CBCA EDS unauthenticated password change

Title source: cna
STIX 2.1

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Scores

CVSS v3 9.8
EPSS 0.0043
EPSS Percentile 34.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-306
Status published
Products (4)
Civilian Board of Contract Appeals/Electronic Docketing System (EDS) < 2026-03-19
Civilian Board of Contract Appeals/Electronic Docketing System (EDS) 2026-03-19
Government Accountability Office/Electronic Protest Docketing System (EPDS) < 2026-02-22
Government Accountability Office/Electronic Protest Docketing System (EPDS) 2026-02-22
Published Jun 18, 2026
Tracked Since Jun 18, 2026