Unrated severityNVD Advisory· Published Jun 18, 2026

U.S. GAO EPDS and CBCA EDS network access control bypass

CVE-2026-54106

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.

Affected products

GAO/EPDSllm-fuzzy
CBCA/EDSllm-fuzzy

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

epds.gao.govmitreproduct
www.cve.org/CVERecordmitrevdb-entry
www.eds.cbca.gov/loginmitreproduct
raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.jsonmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000