Unrated severityNVD Advisory· Published Jun 18, 2026· Updated Jun 19, 2026

U.S. GAO EPDS and CBCA EDS unauthenticated password change

CVE-2026-54103

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Affected products

GAO/EPDSllm-create
CBCA/EDSllm-create

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

epds.gao.govmitreproduct
www.cve.org/CVERecordmitrevdb-entry
www.eds.cbca.gov/loginmitreproduct
raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.jsonmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000