CVE-2026-54103
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Government Accountability Office | Electronic Protest Docketing System (EPDS) | 0 < 2026-02-22 | affected |
| Government Accountability Office | Electronic Protest Docketing System (EPDS) | 2026-02-22 | unaffected |
| Civilian Board of Contract Appeals | Electronic Docketing System (EDS) | 0 < 2026-03-19 | affected |
| Civilian Board of Contract Appeals | Electronic Docketing System (EDS) | 2026-03-19 | unaffected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json
- https://www.cve.org/CVERecord?id=CVE-2026-54103
- https://epds.gao.gov/
- https://www.eds.cbca.gov/login
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.