← volver
CVE-2026-54103

U.S. GAO EPDS and CBCA EDS unauthenticated password change

CVSS 9.3 CRITICALEPSS 0.4%CWE-306
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
Civilian Board of Contract Appeals · Electronic Docketing System (EDS)Government Accountability Office · Electronic Protest Docketing System (EPDS)

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://epds.gao.gov/https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.jsonhttps://www.cve.org/CVERecord?id=CVE-2026-54103https://www.eds.cbca.gov/login