HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54104Published Modified CNA cisa-cg

CVE-2026-54104: U.S. GAO EPDS and CBCA EDS client-based privilege escalation

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
2026-02-22
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

Fix available

2026-02-222026-03-19
Affected packages
  • Government Accountability Office / Electronic Protest Docketing System (EPDS)
    < 2026-02-22 (from 0)
    Fixed in 2026-02-22
  • Civilian Board of Contract Appeals / Electronic Docketing System (EDS)
    < 2026-03-19 (from 0)
    Fixed in 2026-03-19
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References
CVE-2026-54104: U.S. GAO EPDS and CBCA EDS client-based privilege escalation | HarborGuard Database