CVE Catalog

CVE-2026-54104

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Summary

The EPDS and EDS systems do not verify client-provided values for the 'epds_role_id' parameter, allowing a remote, authenticated attacker to escalate their own privileges.

Risk Assessment

An attacker could gain access to elevated privileges, potentially leading to unauthorized access to sensitive data and system functions.

Recommendation

It is recommended to implement validation of the 'epds_role_id' parameter values to prevent privilege escalation by unauthorized users.

Original NVD description (English source)

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS