CVE-2026-54105 U.S. Government Accountability Office CVE debrief

Who should care

Government agencies, contractors, and organizations using the GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) should be aware of this vulnerability and take necessary precautions to protect sensitive account information.

Technical summary

The vulnerability exists in the 'update-profile/' API endpoint of both EPDS and EDS systems. An unauthenticated attacker can submit a request with an arbitrary 'user_id' parameter and receive a JSON response containing sensitive account information, including email addresses. The CVSS:4.0 vector for this vulnerability is AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. This vulnerability is classified under CWE-639.

Defensive priority

High

Recommended defensive actions

• Immediately apply patches or updates to the EPDS and EDS systems to fix the vulnerable 'update-profile/' API endpoint.
• Implement proper authentication and authorization mechanisms for API endpoints handling sensitive information.
• Conduct thorough security audits and penetration testing to identify similar vulnerabilities.
• Restrict access to sensitive API endpoints using IP whitelisting or VPN.
• Monitor API endpoint logs for suspicious activity and implement rate limiting.
• Develop and implement a comprehensive incident response plan.
• Provide security awareness training to developers and administrators handling sensitive systems.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and the CVE.org record. The vulnerability was publicly disclosed on June 18, 2026. The accuracy of this information relies on the credibility of these sources.

Official resources