CVE Catalog

CVE-2026-54106

MediumCVSS 4.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile — higher than 20% of all known CVEs

Summary

The EPDS and EDS systems do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.

Risk Assessment

Attackers may gain unauthorized access to the systems, potentially leading to data breaches or unauthorized actions within the system.

Recommendation

It is recommended to implement validation of X-Forwarded-For headers and to monitor and restrict access to administrator accounts.

Original NVD description (English source)

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS