CVE Catalog

CVE-2026-54103

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

The EPDS and EDS systems do not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Risk Assessment

The lack of authorization for password changes poses a serious security risk to user accounts, potentially leading to unauthorized access to sensitive data.

Recommendation

It is recommended to implement an authorization mechanism for password change requests to prevent unauthorized modifications of user accounts.

Original NVD description (English source)

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS