CVE-2026-54103

U.S. GAO EPDS and CBCA EDS unauthenticated password change

CVSS 9.3 CRITICALEPSS 0.4%CWE-306

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Civilian Board of Contract Appeals · Electronic Docketing System (EDS)Government Accountability Office · Electronic Protest Docketing System (EPDS)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://epds.gao.gov/https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json https://www.cve.org/CVERecord?id=CVE-2026-54103 https://www.eds.cbca.gov/login