CVE-2026-54105

MEDIUM

U.S. GAO EPDS and CBCA EDS user information disclosure

Title source: cna
STIX 2.1

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

Scores

CVSS v3 5.3
EPSS 0.0030
EPSS Percentile 21.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (4)
Civilian Board of Contract Appeals/Electronic Docketing System (EDS) < 2026-03-19
Civilian Board of Contract Appeals/Electronic Docketing System (EDS) 2026-03-19
Government Accountability Office/Electronic Protest Docketing System (EPDS) < 2026-02-22
Government Accountability Office/Electronic Protest Docketing System (EPDS) 2026-02-22
Published Jun 18, 2026
Tracked Since Jun 18, 2026