Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.
Published: 2026-06-18
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the lack of validation of X-Forwarded-For headers in the GAO EPDS and CBCA EDS authentication logic. By injecting arbitrary X-Forwarded-For values, an attacker with compromised administrator credentials can trick the system into believing the request originates from an allowed internal IP. This bypasses network access controls that rely on IP filtering and enables unauthorized use of the application’s administrative functionality. The flaw is a direct Access Control bypass identified as CWE-940.

Affected Systems

The affected services are the GAO Electronic Protest Docketing System (EPDS) and the CBCA Electronic Docketing System (EDS). The advisory does not enumerate specific software versions, so any existing installation that still uses the default authentication and header handling is vulnerable. These systems are typically deployed in government or contractor environments that enforce IP-based access policies.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker already holds administrative credentials, thus the attack surface is limited to compromised accounts. However, once credentialed, the attacker can modify the X-Forwarded-For header to override IP-based restrictions and gain remote access to otherwise restricted resources. The attack vector is likely remote over HTTP/HTTPS.

Generated by OpenCVE AI on June 18, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enforce firewall or VPN restrictions on administrative endpoints, preventing external access that could rely on X-Forwarded-For spoofing.
  • Configure the web server or application to ignore or strip the X-Forwarded-For header for authentication or administrative requests before applying IP-based access controls.
  • Require multi-factor authentication for all administrator accounts to reduce the impact of credential compromise.
  • Audit the load-balancer or proxy configuration to ensure only internal trusted proxies populate X-Forwarded-For values for all traffic reaching the application.

Generated by OpenCVE AI on June 18, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)
Vendors & Products Civilian Board Of Contract Appeals
Civilian Board Of Contract Appeals electronic Docketing System (eds)
Government Accountability Office
Government Accountability Office electronic Protest Docketing System (epds)

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.
Title U.S. GAO EPDS and CBCA EDS network access control bypass
Weaknesses CWE-940
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Civilian Board Of Contract Appeals Electronic Docketing System (eds)
Government Accountability Office Electronic Protest Docketing System (epds)
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-06-24T19:52:10.880Z

Reserved: 2026-06-11T19:41:26.775Z

Link: CVE-2026-54106

cve-icon Vulnrichment

Updated: 2026-06-24T19:52:07.284Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:55:52Z

Weaknesses
  • CWE-940

    Improper Verification of Source of a Communication Channel