CVE-2026-54103
Severity CVSS v4.0:
CRITICAL
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
18/06/2026
Last modified:
22/06/2026
Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL
Base Score 3.x
9.80
Severity 3.x
CRITICAL



