Authentication Bypass in GAO Electronic Systems
CVE-2026-54103

9.3CRITICAL

Key Information:

Vendor: Government Accountability Office
Status: Electronic Protest Docketing System (epds); Electronic Docketing System (eds)
Vendor: CVE Published:; 18 June 2026

🔔 Create Government Accountability Office Vulnerability Alert

What is CVE-2026-54103?

The Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) suffer from a significant vulnerability where password change requests to the '/update-profile/N' API endpoint are not authenticated. This flaw allows a remote attacker to change the password of any user without requiring authorization, potentially leading to unauthorized access and manipulation of user accounts within these systems.

Affected Version(s)

Electronic Docketing System (EDS) 0

Electronic Docketing System (EDS) 0 < 2026-03-19

Electronic Protest Docketing System (EPDS) 0 < 2026-02-22

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://www.cve.org/CVERecord?id=CVE-2026-54103

vdb-entry

https://epds.gao.gov/

product

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Blake Rash, CISA

CVE-2026-54103 Data

JSON