Skip to main content

GAO EPDS EUVDEUVD-2026-37913

| CVE-2026-54106 MEDIUM
Improper Verification of Source of a Communication Channel (CWE-940)
2026-06-18 cisa-cg GHSA-96f7-vmp7-7rvh
5.1
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.8 LOW

Network-delivered via HTTP with low complexity; PR:H required because compromised admin credentials are a hard prerequisite; no availability impact from the login bypass itself.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisa-cg).

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Jun 18, 2026 - 19:38 NVD
4.7 (MEDIUM) 5.1 (MEDIUM)
Patch available
Jun 18, 2026 - 19:01 EUVD
Analysis Generated
Jun 18, 2026 - 17:11 vuln.today
CVE Published
Jun 18, 2026 - 16:13 cve.org
MEDIUM 4.7

DescriptionCVE.org

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.

AnalysisAI

Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain compromised administrator credentials
Delivery
Identify target login endpoint (epds.gao.gov or eds.cbca.gov)
Exploit
Craft HTTP login request with forged X-Forwarded-For header
Execution
Application accepts spoofed IP as trusted source
Persist
Network access control bypassed
Impact
Authenticate as administrator from untrusted network

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the attacker must possess valid, working administrator-level credentials for the target system - these cannot be derived from the X-Forwarded-For bypass itself and must be obtained through a separate compromise vector such as phishing or credential theft; and (2) the system must be enforcing IP-based network access controls via the application layer using the X-Forwarded-For header rather than at the network/transport layer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.7 (Medium) reflects an attack that, while network-accessible and requiring no user interaction, demands high-privilege credentials (PR:H) as a firm precondition - meaning the attacker must already control a valid administrator account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor who has obtained valid administrator credentials for EPDS or EDS through phishing, credential stuffing, or a prior breach attempts to log in from an IP address outside the permitted government network range and would normally be blocked. By adding a forged 'X-Forwarded-For: 10.0.0.1' header (or any IP within the trusted range) to the HTTP login request, the attacker causes the application to evaluate the spoofed address as the connection source, bypassing the network access control and completing authentication to the administrative interface. …
Remediation No vendor-released patch version has been independently confirmed from the available data; the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json should be reviewed for official remediation guidance. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy