CVE-2026-54103
CRITICALU.S. GAO EPDS and CBCA EDS unauthenticated password change
Title source: cnaDescription
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
References (4)
Core 4
Scores
CVSS v3
9.8
EPSS
0.0043
EPSS Percentile
34.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (4)
Civilian Board of Contract Appeals/Electronic Docketing System (EDS)
< 2026-03-19
Civilian Board of Contract Appeals/Electronic Docketing System (EDS)
2026-03-19
Government Accountability Office/Electronic Protest Docketing System (EPDS)
< 2026-02-22
Government Accountability Office/Electronic Protest Docketing System (EPDS)
2026-02-22
Published
Jun 18, 2026
Tracked Since
Jun 18, 2026