Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
Published: 2026-06-18
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the U.S. Government Accountability Office Electronic Protest Docketing System and the Civilian Board of Contract Appeals Electronic Docketing System, which unconditionally trust the client‑supplied "epds_role_id" request parameter. An authenticated user can supply a value that the servers treat as a privilege level, thereby elevating their own permissions without any verification. This flaw represents a classic privilege escalation flaw (CWE‑602) and allows a remote attacker to gain unauthorized access to functions normally restricted to higher‑privileged users.

Affected Systems

The affected systems are the EPDS used by the GAO and the EDS used by the CBCA. The only vendor information provided is the GAO for EPDS and the Civilian Board of Contract Appeals for EDS. No specific product versions are listed, so all current deployments of the EPDS and EDS without a patch are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, but the lack of a listing in the CISA KEV catalog suggests no known widespread exploitation yet. The attack requires remote authenticated access, but once authenticated, an attacker can manipulate the role field and elevate privileges. This places the risk in the high category, with significant potential for unauthorized data access or modification if exploited.

Generated by OpenCVE AI on June 18, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or update that validates the epds_role_id parameter before using it.
  • Restrict the ability to set or override epds_role_id in client requests, ensuring only authorized system components can assign role identifiers.
  • Review and audit access logs for anomalous changes to role assignments or unauthorized privilege escalation attempts.

Generated by OpenCVE AI on June 18, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)
Vendors & Products Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
Title U.S. GAO EPDS and CBCA EDS client-based privilege escalation
Weaknesses CWE-602
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Civilian Board Of Contract Appeals Electronic Docketing System (eds)
Government Accountability Office Electronic Protest Docketing System (epds)
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-22T12:32:43.637Z

Reserved: 2026-06-11T19:41:26.775Z

Link: CVE-2026-54104

cve-icon Vulnrichment

Updated: 2026-06-22T12:32:40.900Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:55:56Z

Weaknesses
  • CWE-602

    Client-Side Enforcement of Server-Side Security