Impact
A remote attacker can submit an arbitrary user_id to the update-profile/ API endpoint without authentication and obtain JSON data that includes sensitive account information, notably the associated email address. The weakness is a classic evidence of lack of proper access control, mapping to CWE-639.
Affected Systems
The vulnerability affects the U.S. Government Accountability Office’s Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals’ Electronic Docketing System (EDS). Both systems host the exposed API endpoint that returns user‑specific data.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate severity with full confidentiality impact. No EPSS score is reported, and the vulnerability is not listed in CISA KEV, so immediate exploitation risk is unclear. Nonetheless, any attacker can obtain personal email addresses from the systems, potentially facilitating phishing or other credential‑guessing attacks.
OpenCVE Enrichment