CVE-2026-54106
Awaiting Analysis Awaiting Analysis - Queue
GAO EPDS and CBCA EDS X-Forwarded-For Header Bypass

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-54106
EUVD
EUVD-2026-37913
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gao electronic_protest_docketing_system *
gao civilian_board_of_contract_appeals_electronic_docketing_system *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-940 The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS). It occurs because these systems do not validate the X-Forwarded-For HTTP headers.

As a result, a remote attacker who has compromised administrator credentials can exploit this flaw to bypass network access controls and log into the system.

Impact Analysis

The vulnerability allows an attacker with compromised administrator credentials to bypass network access controls and gain unauthorized access to the affected systems.

This unauthorized access could lead to potential exposure or manipulation of sensitive information managed by the Electronic Protest Docketing System and the Civilian Board of Contract Appeals Electronic Docketing System.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart