CVE-2026-54103 U.S. Government Accountability Office (GAO) CVE debrief

Who should care

Organizations using the GAO EPDS and CBCA EDS systems should prioritize patching this vulnerability to prevent unauthorized access. Additionally, security teams and administrators responsible for these systems should be aware of the potential risks and take immediate action to mitigate the vulnerability.

Technical summary

The vulnerability exists in the '/update-profile/N' API endpoint of the GAO EPDS and CBCA EDS systems. An unauthenticated attacker can exploit this vulnerability to change the password of any user, potentially leading to unauthorized access to sensitive information. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

high

Recommended defensive actions

• Apply patches or updates provided by the vendor to fix the vulnerability
• Implement additional authentication mechanisms for password change requests
• Monitor the system for suspicious activity and implement logging and auditing
• Restrict access to the '/update-profile/N' API endpoint
• Use secure communication protocols (e.g., HTTPS) to encrypt data in transit
• Consider implementing a Web Application Firewall (WAF) to detect and prevent attacks
• Conduct regular security assessments and penetration testing to identify vulnerabilities

Evidence notes

The information provided is based on the NVD modified source item and CVE record. The vulnerability details and CVSS vector are sourced from the NVD and CVE.org. The affected systems and CVSS score are confirmed by the CVE record and NVD detail pages.

Official resources