U.S. GAO EPDS and CBCA EDS unauthenticated password change

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Basic Information

ID CVE-2026-54103

Source cisa-cg

Published Jun 18, 2026 at 16:12

Modified Jun 19, 2026 at 03:55

Affected Product

Vendor Government Accountability Office

Product Electronic Protest Docketing System (EPDS)

Affected Versions Government Accountability Office Electronic Protest Docketing System (EPDS) 0
Civilian Board of Contract Appeals Electronic Docketing System (EDS) 0

CWE Classification

CWE-306

References

{
    "lastseen": "",
    "description": "The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.",
    "published": "2026-06-18T16:12:35.433Z",
    "modified": "2026-06-19T03:55:58.779Z",
    "type": "cve",
    "title": "U.S. GAO EPDS and CBCA EDS unauthenticated password change",
    "source": "cisa-cg",
    "references": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json\nhttps://www.cve.org/CVERecord?id=CVE-2026-54103\nhttps://epds.gao.gov/\nhttps://www.eds.cbca.gov/login",
    "id": "CVE-2026-54103",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "Government Accountability Office Electronic Protest Docketing System (EPDS) 0\nCivilian Board of Contract Appeals Electronic Docketing System (EDS) 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Electronic Protest Docketing System (EPDS)",
    "version": "0",
    "vendor": "Government Accountability Office",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

U.S. GAO EPDS and CBCA EDS unauthenticated password change_CVE-2026-54103