CVE-2026-54104
published 2026-06-18CVE-2026-54104: The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.40%
31.9th percentile
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| civilian_board_of_contract_appeals | electronic_docketing_system | < 2026-03-19 | 2026-03-19 |
| government_accountability_office | electronic_protest_docketing_system | < 2026-02-22 | 2026-02-22 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Government Accountability Office Electronic Protest Docketing System prior 2026-02-22 epds_role_id client-side enforcement of server-side security (EUVD-2026-37911)
vuldb·2026-06-18
CVE-2026-54104 [CRITICAL] Government Accountability Office Electronic Protest Docketing System prior 2026-02-22 epds_role_id client-side enforcement of server-side security (EUVD-2026-37911)
A vulnerability identified as critical has been detected in Government Accountability Office Electronic Protest Docketing System and Electronic Docketing System. Affected by this issue is some unknown functionality. This manipulation of the argument epds_role_id causes client-side enforcement of server-side security.
This vulnerability is handled as CVE-2026-54104. The attack can be initiated remotely. There is not any exploit available.
This product operates as a managed service, which prevents users from maintaining vulnerability countermeasures themselves. You should upgrade the affected component.
GHSA
GHSA-768x-r5g5-79vc: The U
ghsa_unreviewed·2026-06-18
CVE-2026-54104 [HIGH] CWE-602 GHSA-768x-r5g5-79vc: The U
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published