CVE-2026-54106
MediumCVSS 4.7Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
The EPDS and EDS systems do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.
Risk Assessment
Attackers may gain unauthorized access to the systems, potentially leading to data breaches or unauthorized actions within the system.
Recommendation
It is recommended to implement validation of X-Forwarded-For headers and to monitor and restrict access to administrator accounts.
Original NVD description (English source)
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.

