CVE-2026-54105
Awaiting Analysis Awaiting Analysis - Queue

Sensitive Data Exposure in GAO EPDS and CBCA EDS

Vulnerability report for CVE-2026-54105, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-24

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-24
Generated
2026-07-09
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability exposes sensitive account information, including email addresses, through an unauthenticated API endpoint. This exposure of personal data could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access.

However, specific details on how this vulnerability affects compliance with these standards or any mitigation measures are not provided in the available information.

Executive Summary

This vulnerability affects the U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS). It occurs because the 'update-profile/' API endpoint exposes sensitive account information. A remote attacker who is not authenticated can send a request with any arbitrary 'user_id' parameter and receive a JSON response containing account-specific details, including the associated email address.

Impact Analysis

The vulnerability allows an unauthenticated remote attacker to access sensitive account information such as email addresses by exploiting the 'update-profile/' API endpoint. This exposure can lead to privacy breaches, targeted phishing attacks, or further exploitation by attackers using the obtained account details.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart