Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.
Published: 2026-06-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote attacker can submit an arbitrary user_id to the update-profile/ API endpoint without authentication and obtain JSON data that includes sensitive account information, notably the associated email address. The weakness is a classic evidence of lack of proper access control, mapping to CWE-639.

Affected Systems

The vulnerability affects the U.S. Government Accountability Office’s Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals’ Electronic Docketing System (EDS). Both systems host the exposed API endpoint that returns user‑specific data.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity with full confidentiality impact. No EPSS score is reported, and the vulnerability is not listed in CISA KEV, so immediate exploitation risk is unclear. Nonetheless, any attacker can obtain personal email addresses from the systems, potentially facilitating phishing or other credential‑guessing attacks.

Generated by OpenCVE AI on June 18, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch issued by GAO or CBCA for the EPDS and EDS update‑profile endpoint.
  • Configure the API to require authentication before it accepts request parameters, ensuring only authorized users can query profile data.
  • Restrict access to the update‑profile/ endpoint by IP or request header, and implement input validation to reject arbitrary user_id values.

Generated by OpenCVE AI on June 18, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)
Vendors & Products Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.
Title U.S. GAO EPDS and CBCA EDS user information disclosure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Civilian Board Of Contract Appeals Electronic Docketing System (eds)
Government Accountability Office Electronic Protest Docketing System (epds)
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-24T19:54:05.421Z

Reserved: 2026-06-11T19:41:26.775Z

Link: CVE-2026-54105

cve-icon Vulnrichment

Updated: 2026-06-24T19:54:00.980Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:55:54Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key