CVE-2026-54105

Summary

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

Affected Software

VendorProductVersion RangeStatus
Government Accountability OfficeElectronic Protest Docketing System (EPDS)0 < 2026-02-22affected
Government Accountability OfficeElectronic Protest Docketing System (EPDS)2026-02-22unaffected
Civilian Board of Contract AppealsElectronic Docketing System (EDS)0 < 2026-03-19affected
Civilian Board of Contract AppealsElectronic Docketing System (EDS)2026-03-19unaffected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References