Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Endpoint is internet-reachable with no auth and no user interaction (AV:N/AC:L/PR:N/UI:N); arbitrary password reset yields full account takeover, so C/I/A all High.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
AnalysisAI
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default deployments of the EPDS portal at epds.gao.gov and the EDS portal at eds.cbca.gov via the '/update-profile/N' API endpoint, where N is the target user's identifier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to high real-world risk: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N gives a 9.3 score with full VC/VI/VA high impact on the vulnerable system, meaning the attack is internet-reachable, requires no privileges, no user interaction, and no special attack conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows or can enumerate a target user identifier (for example, a contracting officer or attorney known to file protests) sends a single unauthenticated HTTP request to https://epds.gao.gov/update-profile/{N} (or the EDS equivalent) with a new password in the body, then logs in as that user to read sealed protest filings, exfiltrate procurement-sensitive documents, or submit fraudulent filings on behalf of the victim. No public exploit identified at time of analysis, but the attack requires only an HTTP client and a valid user ID, making weaponization trivial once the endpoint shape is known. |
| Remediation | Both systems are vendor-hosted SaaS, so remediation has already been applied server-side by the operators: EPDS was patched on 2026-02-22 and EDS was patched on 2026-03-19 per the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json - no user-side patching is required, but agencies and law firms with EPDS/EDS accounts should review account activity, force a password reset on any account that did not initiate a reset, and enable multi-factor authentication if offered. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running EPDS and EDS; determine current versions and assess network exposure; notify stakeholders and incident response teams. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals E
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) an
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37910
GHSA-w9xh-mqg8-v8fv