Privilege Escalation Vulnerability in GAO EPDS and CBCA EDS Systems
CVE-2026-54104

8.7HIGH

Key Information:

Vendor

Government Accountability Office

Status
Electronic Protest Docketing System (epds)
Electronic Docketing System (eds)
Vendor
CVE Published:
18 June 2026

What is CVE-2026-54104?

Both the GAO Electronic Protest Docketing System (EPDS) and the CBCA Electronic Docketing System (EDS) are affected by a vulnerability that allows a remote, authenticated attacker to escalate their privileges. This occurs due to the systems trusting unsanitized client-provided values for the 'epds_role_id' parameter, the lack of robust validation mechanisms poses a significant risk, enabling attackers to gain unauthorized access to higher-level user functionalities and sensitive data.

Affected Version(s)

Electronic Docketing System (EDS) 0

Electronic Docketing System (EDS) 0 < 2026-03-19

Electronic Protest Docketing System (EPDS) 0 < 2026-02-22

References

https://www.cve.org/CVERecord?id=CVE-2026-54104
vdb-entry
https://epds.gao.gov/
product
https://www.eds.cbca.gov/login
product

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Blake Rash, CISA
.