CVE-2026-54103
CriticalCVSS 9.8Summary
The EPDS and EDS systems do not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
Risk Assessment
The lack of authorization for password changes poses a serious security risk to user accounts, potentially leading to unauthorized access to sensitive data.
Recommendation
It is recommended to implement an authorization mechanism for password change requests to prevent unauthorized modifications of user accounts.
Original NVD description (English source)
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

