CVE-2026-54103

Severity CVSS v4.0:
CRITICAL
Type:
CWE-306 Missing Authentication for Critical Function
Publication date:
18/06/2026
Last modified:
22/06/2026

Description

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.