CVE-2026-54103

Summary

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Affected Software

VendorProductVersion RangeStatus
Government Accountability OfficeElectronic Protest Docketing System (EPDS)0 < 2026-02-22affected
Government Accountability OfficeElectronic Protest Docketing System (EPDS)2026-02-22unaffected
Civilian Board of Contract AppealsElectronic Docketing System (EDS)0 < 2026-03-19affected
Civilian Board of Contract AppealsElectronic Docketing System (EDS)2026-03-19unaffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References