Sensitive Information Exposure in GAO Electronic Docketing Systems
CVE-2026-54105

6.9MEDIUM

Key Information:

Vendor: Government Accountability Office
Status: Electronic Protest Docketing System (epds); Electronic Docketing System (eds)
Vendor: CVE Published:; 18 June 2026

🔔 Create Government Accountability Office Vulnerability Alert

What is CVE-2026-54105?

The GAO Electronic Protest Docketing System and the Civilian Board of Contract Appeals Electronic Docketing System are vulnerable to information exposure via their 'update-profile/' API endpoint. This flaw allows a remote, unauthenticated attacker to exploit an arbitrary 'user_id' parameter, resulting in the unauthorized retrieval of sensitive account details, including user email addresses. This vulnerability underscores the importance of robust access controls and input validation to safeguard against potential data breaches.

Affected Version(s)

Electronic Docketing System (EDS) 0

Electronic Docketing System (EDS) 0 < 2026-03-19

Electronic Protest Docketing System (EPDS) 0 < 2026-02-22

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://www.cve.org/CVERecord?id=CVE-2026-54105

vdb-entry

https://epds.gao.gov/

product

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Blake Rash, CISA

CVE-2026-54105 Data

JSON