HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54103Published Modified CNA cisa-cg

CVE-2026-54103: U.S. GAO EPDS and CBCA EDS unauthenticated password change

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
2026-02-22
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in the U.S. GAO Electronic Protest Docketing System (EPDS) and the CBCA Electronic Docketing System (EDS). The flaw is reachable over the network with no credentials required: the '/update-profile/N' API endpoint accepts password change requests without verifying the caller's identity. A remote, unauthenticated attacker can overwrite any user's password, enabling full account takeover across both systems. Patched-image rebuilds at versions 2026-02-22 (EPDS) and 2026-03-19 (EDS) are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CISA and NVD) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle either affected application.

Available
Triage

HarborGuard scores this CVE at CVSS 9.3 (Critical, CVSS v4.0) and is capable of weighting that score against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the fix versions (2026-02-22 for EPDS, 2026-03-19 for EDS) is available on HarborGuard for any environment running an affected image. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the target host.

  • AuthenticationNot required

    No credentials of any kind are needed; the '/update-profile/N' endpoint processes password change requests without authenticating the caller.

  • Victim interactionNot required

    The attacker acts entirely on their own without any action required from the targeted user.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental factors are required.

Blast Radius

  • An attacker sets an arbitrary password for any user account, achieving full account takeover without prior access.
  • With control of a user account, the attacker reads that user's docketed case records, filings, and any personally identifiable information stored in the profile.
  • The attacker can modify or submit docketing entries on behalf of the hijacked account, tampering with official protest or contract appeal records.
  • Mass account takeover is feasible by iterating over user identifiers, disrupting access for all legitimate users of either system.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54103 is active across all connected environments and fires within minutes of image ingestion for any image containing an affected version of EPDS (before 2026-02-22) or EDS (before 2026-03-19). Given the Critical CVSS v4.0 score of 9.3 and the unauthenticated, network-reachable nature of the flaw, this CVE is surfaced at the highest priority tier. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the affected image at the respective fix version, executing a regression test run, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a prefilled PR are staged and waiting for a reviewer. If immediate image replacement is not feasible, consider applying network policy controls to restrict access to the '/update-profile/N' endpoint to authenticated internal networks only as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

2026-02-222026-03-19
Affected packages
  • Government Accountability Office / Electronic Protest Docketing System (EPDS)
    < 2026-02-22 (from 0)
    Fixed in 2026-02-22
  • Civilian Board of Contract Appeals / Electronic Docketing System (EDS)
    < 2026-03-19 (from 0)
    Fixed in 2026-03-19
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References