Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GAO Electronic Protest Docketing System and the CBCA Electronic Docketing System allow password changes via the '/update-profile/N' API without authenticating the requester. A remote attacker who can reach this endpoint can set a new password for any user account. This results in credential compromise, enabling an attacker to gain unauthorized access to all resources protected by the affected systems and potentially expose sensitive data. The weakness is classified as CWE-306, an authentication bypass that undermines credential control.

Affected Systems

The vulnerability affects two U.S. federal systems: the Civilian Board of Contract Appeals Electronic Docketing System and the Government Accountability Office Electronic Protest Docketing System. No specific versioning information is provided, so all deployed instances are considered potentially vulnerable until a vendor patch is applied.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. Exploit probability is not available from EPSS, and the vulnerability is not listed in the CISA KEV catalog, but the lack of authentication on a remote API endpoint represents a clear and straightforward attack path. A remote, unauthenticated attacker can exploit the flaw with minimal effort, making the risk high in environments where these systems are publicly reachable.

Generated by OpenCVE AI on June 18, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch as soon as it becomes available
  • Restrict network access to the '/update-profile/N' endpoint, allowing only authenticated or whitelisted traffic
  • Enable monitoring of password change logs and set up alerts for unusual activity

Generated by OpenCVE AI on June 18, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)
Vendors & Products Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
Title U.S. GAO EPDS and CBCA EDS unauthenticated password change
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Civilian Board Of Contract Appeals Electronic Docketing System (eds)
Government Accountability Office Electronic Protest Docketing System (epds)
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-22T12:32:52.614Z

Reserved: 2026-06-11T19:41:26.775Z

Link: CVE-2026-54103

cve-icon Vulnrichment

Updated: 2026-06-22T12:32:49.390Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:55:58Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function