Skip to main content

EPDS and EDS CVE-2026-54104

| EUVDEUVD-2026-37911 HIGH
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-06-18 cisa-cg GHSA-768x-r5g5-79vc
8.7
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable web app, trivial parameter tampering, requires any authenticated account (PR:L), no user interaction, full impact on docketing data confidentiality, integrity, and availability.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 18, 2026 - 19:45 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 19:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 19:38 vuln.today
cvss_changed
CVSS changed
Jun 18, 2026 - 19:38 NVD
8.8 (HIGH) 8.7 (HIGH)
Patch available
Jun 18, 2026 - 19:01 EUVD
Analysis Generated
Jun 18, 2026 - 17:05 vuln.today
CVE Published
Jun 18, 2026 - 16:12 cve.org
HIGH 8.8

DescriptionCVE.org

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.

AnalysisAI

Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise low-privilege EPDS/EDS account
Delivery
Authenticate to docketing portal
Exploit
Intercept authenticated request via proxy
Execution
Tamper epds_role_id with elevated role value
Persist
Server accepts unverified role identifier
Impact
Access sealed filings and administrative functions

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid authenticated account on either https://epds.gao.gov/ (EPDS) or https://www.eds.cbca.gov/login (EDS) - the CVSS PR:L confirms low-privilege authentication is required - and must be able to send an HTTP request that includes the 'epds_role_id' parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VC/VI/VA all High reflects a network-reachable, low-complexity flaw exploitable by any authenticated user with no interaction, producing full confidentiality, integrity, and availability impact on docketing data - protest filings, sealed exhibits, and adjudication records. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A registered EPDS or EDS user - for example, an attorney with a low-privilege filer account - logs in normally, then intercepts an authenticated request with a web proxy and modifies the 'epds_role_id' value to that of an administrator or adjudicator role. The server honors the substituted identifier without checking it against the session, granting the attacker access to other parties' protest filings, sealed exhibits, and administrative functions; no public exploit is identified at time of analysis but the technique is trivial enough to be reproduced from the advisory alone.
Remediation Patch available per vendor advisory: GAO deployed the EPDS fix on 2026-02-22 and CBCA deployed the EDS fix on 2026-03-19, both applied server-side to the hosted services, so users do not need to take direct action beyond confirming they are accessing the live production sites at https://epds.gao.gov/ and https://www.eds.cbca.gov/login. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Verify your organization's operational reliance on EPDS or EDS; contact the GAO or CBCA to confirm patch deployment status in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy