Search criteria

4 vulnerabilities found for Electronic Docketing System (EDS) by Civilian Board of Contract Appeals

CVE-2026-54106 (GCVE-0-2026-54106)

Vulnerability from cvelistv5 – Published: 2026-06-18 16:13 – Updated: 2026-06-24 19:52 Exclusively Hosted Service
VLAI?
Title
U.S. GAO EPDS and CBCA EDS network access control bypass
Summary
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.
CWE
  • CWE-940 - Improper Verification of Source of a Communication Channel
Assigner
Impacted products
Vendor Product Version
Government Accountability Office Electronic Protest Docketing System (EPDS) Affected: 0 , < 2026-02-22 (custom)
Unaffected: 2026-02-22
Create a notification for this product.
Credits
Blake Rash, CISA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54106",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T19:52:03.881548Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T19:52:10.880Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Electronic Protest Docketing System (EPDS)",
          "vendor": "Government Accountability Office",
          "versions": [
            {
              "lessThan": "2026-02-22",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-02-22"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Electronic Docketing System (EDS)",
          "vendor": "Civilian Board of Contract Appeals",
          "versions": [
            {
              "lessThan": "2026-03-19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-03-19"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Blake Rash, CISA"
        }
      ],
      "datePublic": "2026-06-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        },
        {
          "other": {
            "content": {
              "id": "CVE-2026-54106",
              "options": [
                {
                  "Exploitation": "poc"
                },
                {
                  "Automatable": "no"
                },
                {
                  "Technical Impact": "partial"
                }
              ],
              "role": "CISA Coordinator",
              "timestamp": "2026-06-11T19:54:32.618326Z",
              "version": "2.0.3"
            },
            "type": "ssvc"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-940",
              "description": "CWE-940 Improper Verification of Source of a Communication Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T16:13:47.351Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json"
        },
        {
          "name": "url",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54106"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://epds.gao.gov/"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://www.eds.cbca.gov/login"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "title": "U.S. GAO EPDS and CBCA EDS network access control bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2026-54106",
    "datePublished": "2026-06-18T16:13:47.351Z",
    "dateReserved": "2026-06-11T19:41:26.775Z",
    "dateUpdated": "2026-06-24T19:52:10.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54105 (GCVE-0-2026-54105)

Vulnerability from cvelistv5 – Published: 2026-06-18 16:13 – Updated: 2026-06-24 19:54 Exclusively Hosted Service
VLAI?
Title
U.S. GAO EPDS and CBCA EDS user information disclosure
Summary
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
Government Accountability Office Electronic Protest Docketing System (EPDS) Affected: 0 , < 2026-02-22 (custom)
Unaffected: 2026-02-22
Create a notification for this product.
Credits
Blake Rash, CISA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54105",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T19:53:57.662222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T19:54:05.421Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Electronic Protest Docketing System (EPDS)",
          "vendor": "Government Accountability Office",
          "versions": [
            {
              "lessThan": "2026-02-22",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-02-22"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Electronic Docketing System (EDS)",
          "vendor": "Civilian Board of Contract Appeals",
          "versions": [
            {
              "lessThan": "2026-03-19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-03-19"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Blake Rash, CISA"
        }
      ],
      "datePublic": "2026-06-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the \u0027update-profile/\u0027 API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary \u0027user_id\u0027 parameter and receive a JSON response containing account-specific information, including the associated email address."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "other": {
            "content": {
              "id": "CVE-2026-54105",
              "options": [
                {
                  "Exploitation": "none"
                },
                {
                  "Automatable": "yes"
                },
                {
                  "Technical Impact": "partial"
                }
              ],
              "role": "CISA Coordinator",
              "timestamp": "2026-06-11T16:16:19.191886Z",
              "version": "2.0.3"
            },
            "type": "ssvc"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T16:13:24.123Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json"
        },
        {
          "name": "url",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54105"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://epds.gao.gov/"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://www.eds.cbca.gov/login"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "title": "U.S. GAO EPDS and CBCA EDS user information disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2026-54105",
    "datePublished": "2026-06-18T16:13:24.123Z",
    "dateReserved": "2026-06-11T19:41:26.775Z",
    "dateUpdated": "2026-06-24T19:54:05.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54104 (GCVE-0-2026-54104)

Vulnerability from cvelistv5 – Published: 2026-06-18 16:12 – Updated: 2026-06-22 12:32 Exclusively Hosted Service
VLAI?
Title
U.S. GAO EPDS and CBCA EDS client-based privilege escalation
Summary
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
CWE
  • CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
Impacted products
Vendor Product Version
Government Accountability Office Electronic Protest Docketing System (EPDS) Affected: 0 , < 2026-02-22 (custom)
Unaffected: 2026-02-22
Create a notification for this product.
Credits
Blake Rash, CISA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54104",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-19T03:56:02.589399Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T12:32:43.637Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Electronic Protest Docketing System (EPDS)",
          "vendor": "Government Accountability Office",
          "versions": [
            {
              "lessThan": "2026-02-22",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-02-22"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Electronic Docketing System (EDS)",
          "vendor": "Civilian Board of Contract Appeals",
          "versions": [
            {
              "lessThan": "2026-03-19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-03-19"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Blake Rash, CISA"
        }
      ],
      "datePublic": "2026-06-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the \u0027epds_role_id\u0027 parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        },
        {
          "other": {
            "content": {
              "id": "CVE-2026-54104",
              "options": [
                {
                  "Exploitation": "none"
                },
                {
                  "Automatable": "no"
                },
                {
                  "Technical Impact": "total"
                }
              ],
              "role": "CISA Coordinator",
              "timestamp": "2026-06-11T16:16:59.303813Z",
              "version": "2.0.3"
            },
            "type": "ssvc"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-602",
              "description": "CWE-602 Client-Side Enforcement of Server-Side Security",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T16:12:58.699Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54104"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://epds.gao.gov/"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://www.eds.cbca.gov/login"
        },
        {
          "name": "url",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "title": "U.S. GAO EPDS and CBCA EDS client-based privilege escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2026-54104",
    "datePublished": "2026-06-18T16:12:58.699Z",
    "dateReserved": "2026-06-11T19:41:26.775Z",
    "dateUpdated": "2026-06-22T12:32:43.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54103 (GCVE-0-2026-54103)

Vulnerability from cvelistv5 – Published: 2026-06-18 16:12 – Updated: 2026-06-22 12:32 Exclusively Hosted Service
VLAI?
Title
U.S. GAO EPDS and CBCA EDS unauthenticated password change
Summary
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
CWE
  • CWE-306 - Missing Authentication for Critical Function
Assigner
Impacted products
Vendor Product Version
Government Accountability Office Electronic Protest Docketing System (EPDS) Affected: 0 , < 2026-02-22 (custom)
Unaffected: 2026-02-22
Create a notification for this product.
Credits
Blake Rash, CISA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54103",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-19T03:55:59.525967Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T12:32:52.614Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Electronic Protest Docketing System (EPDS)",
          "vendor": "Government Accountability Office",
          "versions": [
            {
              "lessThan": "2026-02-22",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-02-22"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Electronic Docketing System (EDS)",
          "vendor": "Civilian Board of Contract Appeals",
          "versions": [
            {
              "lessThan": "2026-03-19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2026-03-19"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Blake Rash, CISA"
        }
      ],
      "datePublic": "2026-06-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the \u0027/update-profile/N\u0027 API endpoint. A remote, unauthenticated attacker could change an arbitrary user\u0027s password."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        },
        {
          "other": {
            "content": {
              "id": "CVE-2026-54103",
              "options": [
                {
                  "Exploitation": "none"
                },
                {
                  "Automatable": "yes"
                },
                {
                  "Technical Impact": "total"
                }
              ],
              "role": "CISA Coordinator",
              "timestamp": "2026-06-11T16:17:36.004930Z",
              "version": "2.0.3"
            },
            "type": "ssvc"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T16:12:35.433Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-169-01.json"
        },
        {
          "name": "url",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54103"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://epds.gao.gov/"
        },
        {
          "name": "url",
          "tags": [
            "product"
          ],
          "url": "https://www.eds.cbca.gov/login"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "title": "U.S. GAO EPDS and CBCA EDS unauthenticated password change"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2026-54103",
    "datePublished": "2026-06-18T16:12:35.433Z",
    "dateReserved": "2026-06-11T19:41:26.775Z",
    "dateUpdated": "2026-06-22T12:32:52.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}