CVE-2026-54104
HighCVSS 8.8Summary
The EPDS and EDS systems do not verify client-provided values for the 'epds_role_id' parameter, allowing a remote, authenticated attacker to escalate their own privileges.
Risk Assessment
An attacker could gain access to elevated privileges, potentially leading to unauthorized access to sensitive data and system functions.
Recommendation
It is recommended to implement validation of the 'epds_role_id' parameter values to prevent privilege escalation by unauthorized users.
Original NVD description (English source)
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.

