CVE-2026-54105
Awaiting Analysis Awaiting Analysis - Queue
Sensitive Data Exposure in GAO EPDS and CBCA EDS

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-54105
EUVD
EUVD-2026-37912
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS). It occurs because the 'update-profile/' API endpoint exposes sensitive account information. A remote attacker who is not authenticated can send a request with any arbitrary 'user_id' parameter and receive a JSON response containing account-specific details, including the associated email address.

Impact Analysis

The vulnerability allows an unauthenticated remote attacker to access sensitive account information such as email addresses by exploiting the 'update-profile/' API endpoint. This exposure can lead to privacy breaches, targeted phishing attacks, or further exploitation by attackers using the obtained account details.

Compliance Impact

The vulnerability exposes sensitive account information, including email addresses, through an unauthenticated API endpoint. This exposure of personal data could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access.

However, specific details on how this vulnerability affects compliance with these standards or any mitigation measures are not provided in the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart