CVE Catalog

CVE-2026-54105

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

The EPDS and EDS systems expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

Risk Assessment

The exposure of sensitive account information may lead to further attacks, such as phishing or identity theft. Organizations should be aware of the risks associated with unauthorized access to user data.

Recommendation

It is recommended to secure the 'update-profile/' API endpoint by implementing authentication and input parameter validation. A security audit of the EPDS and EDS systems should also be conducted.

Original NVD description (English source)

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS