Unrated severityNVD Advisory· Published Jun 18, 2026· Updated Jun 19, 2026

U.S. GAO EPDS and CBCA EDS client-based privilege escalation

CVE-2026-54104

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.

Affected products

GAO/Electronic Protest Docketing Systemllm-create
CBCA/Electronic Docketing Systemllm-create

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

epds.gao.govmitreproduct
www.cve.org/CVERecordmitrevdb-entry
www.eds.cbca.gov/loginmitreproduct
raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.jsonmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000