CVE-2026-54105
MEDIUMU.S. GAO EPDS and CBCA EDS user information disclosure
Title source: cnaDescription
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.
References (4)
Core 4
Scores
CVSS v3
5.3
EPSS
0.0030
EPSS Percentile
21.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (4)
Civilian Board of Contract Appeals/Electronic Docketing System (EDS)
< 2026-03-19
Civilian Board of Contract Appeals/Electronic Docketing System (EDS)
2026-03-19
Government Accountability Office/Electronic Protest Docketing System (EPDS)
< 2026-02-22
Government Accountability Office/Electronic Protest Docketing System (EPDS)
2026-02-22
Published
Jun 18, 2026
Tracked Since
Jun 18, 2026