Unrated severityNVD Advisory· Published Jun 18, 2026

U.S. GAO EPDS and CBCA EDS user information disclosure

CVE-2026-54105

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

Affected products

U.S. Government Accountability Office/Electronic Protest Docketing Systemllm-create
Civilian Board Of Contract Appeals/Electronic Docketing Systemllm-create

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

epds.gao.govmitreproduct
www.cve.org/CVERecordmitrevdb-entry
www.eds.cbca.gov/loginmitreproduct
raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.jsonmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000