Skip to main content

GAO EPDS/CBCA EDS EUVDEUVD-2026-37910

| CVE-2026-54103 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-18 cisa-cg GHSA-w9xh-mqg8-v8fv
9.3
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Endpoint is internet-reachable with no auth and no user interaction (AV:N/AC:L/PR:N/UI:N); arbitrary password reset yields full account takeover, so C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 18, 2026 - 19:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 19:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 19:38 vuln.today
cvss_changed
CVSS changed
Jun 18, 2026 - 19:38 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Patch available
Jun 18, 2026 - 19:01 EUVD
Analysis Generated
Jun 18, 2026 - 17:03 vuln.today
CVE Published
Jun 18, 2026 - 16:12 cve.org
CRITICAL 9.8

DescriptionCVE.org

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

AnalysisAI

Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target user ID on EPDS/EDS
Delivery
Send unauthenticated POST to /update-profile/N
Exploit
Endpoint accepts password change without auth
Execution
Attacker logs in as victim
Persist
Access sealed protest/appeal filings
Impact
Exfiltrate or tamper with procurement records

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default deployments of the EPDS portal at epds.gao.gov and the EDS portal at eds.cbca.gov via the '/update-profile/N' API endpoint, where N is the target user's identifier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N gives a 9.3 score with full VC/VI/VA high impact on the vulnerable system, meaning the attack is internet-reachable, requires no privileges, no user interaction, and no special attack conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows or can enumerate a target user identifier (for example, a contracting officer or attorney known to file protests) sends a single unauthenticated HTTP request to https://epds.gao.gov/update-profile/{N} (or the EDS equivalent) with a new password in the body, then logs in as that user to read sealed protest filings, exfiltrate procurement-sensitive documents, or submit fraudulent filings on behalf of the victim. No public exploit identified at time of analysis, but the attack requires only an HTTP client and a valid user ID, making weaponization trivial once the endpoint shape is known.
Remediation Both systems are vendor-hosted SaaS, so remediation has already been applied server-side by the operators: EPDS was patched on 2026-02-22 and EDS was patched on 2026-03-19 per the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json - no user-side patching is required, but agencies and law firms with EPDS/EDS accounts should review account activity, force a password reset on any account that did not initiate a reset, and enable multi-factor authentication if offered. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running EPDS and EDS; determine current versions and assess network exposure; notify stakeholders and incident response teams. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy