CVE-2026-54106
Awaiting Analysis Awaiting Analysis - Queue

GAO EPDS and CBCA EDS X-Forwarded-For Header Bypass

Vulnerability report for CVE-2026-54106, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-24

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-24
Generated
2026-07-09
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gao electronic_protest_docketing_system *
gao civilian_board_of_contract_appeals_electronic_docketing_system *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-940 The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS). It occurs because these systems do not validate the X-Forwarded-For HTTP headers.

As a result, a remote attacker who has compromised administrator credentials can exploit this flaw to bypass network access controls and log into the system.

Impact Analysis

The vulnerability allows an attacker with compromised administrator credentials to bypass network access controls and gain unauthorized access to the affected systems.

This unauthorized access could lead to potential exposure or manipulation of sensitive information managed by the Electronic Protest Docketing System and the Civilian Board of Contract Appeals Electronic Docketing System.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart