Improper Input Validation in GAO Electronic Protest Docketing System and EDS
CVE-2026-54106

5.1MEDIUM

Key Information:

Vendor: Government Accountability Office
Status: Electronic Protest Docketing System (epds); Electronic Docketing System (eds)
Vendor: CVE Published:; 18 June 2026

🔔 Create Government Accountability Office Vulnerability Alert

What is CVE-2026-54106?

The GAO Electronic Protest Docketing System and CBCA Electronic Docketing System suffer from insufficient validation of X-Forwarded-For HTTP headers. This vulnerability allows remote attackers with compromised administrative credentials to effectively bypass network access controls, enabling unauthorized access. As a result, sensitive data could be at risk, highlighting the necessity for robust validation mechanisms to enhance security in these systems.

Affected Version(s)

Electronic Docketing System (EDS) 0

Electronic Docketing System (EDS) 0 < 2026-03-19

Electronic Protest Docketing System (EPDS) 0 < 2026-02-22

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://www.cve.org/CVERecord?id=CVE-2026-54106

vdb-entry

https://epds.gao.gov/

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Blake Rash, CISA

CVE-2026-54106 Data

JSON