CVE-2026-54103

CRITICAL(9.8)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Signal Score30/100 — MITTEL

CVSS 9.8 — Kritisch

Beschreibung

The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.

Referenzen

https://epds.gao.gov/
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/...
https://www.cve.org/CVERecord?id=CVE-2026-54103
https://www.eds.cbca.gov/login