CVE-2026-54104: CWE-602 Client-Side Enforcement of Server-Side Security in Government Accountability Office Electronic Protest Docketing System (EPDS)
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-54104 involves improper enforcement of server-side security controls in the GAO EPDS and CBCA EDS. Specifically, the applications rely on client-provided 'epds_role_id' values without validating them on the server side. This trust in client input enables an authenticated attacker to escalate their privileges by altering the 'epds_role_id' parameter, potentially gaining unauthorized access or capabilities within the system. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. No official patch or remediation guidance has been published yet, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation allows an authenticated remote attacker to escalate privileges within the EPDS and EDS systems. This can lead to unauthorized access to sensitive information, modification of data, and disruption of system availability. The vulnerability affects confidentiality, integrity, and availability with high severity as indicated by the CVSS score of 8.8.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should consider restricting access to trusted users only and monitor for unusual privilege escalation attempts. Since no vendor advisory or patch links are provided, no specific remediation steps can be recommended at this time.
CVE-2026-54104: CWE-602 Client-Side Enforcement of Server-Side Security in Government Accountability Office Electronic Protest Docketing System (EPDS)
Description
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) trusts client-provided values for the 'epds_role_id' parameter without verification, allowing a remote, authenticated attacker to escalate their own privileges.
CVSS v3.1
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-54104 involves improper enforcement of server-side security controls in the GAO EPDS and CBCA EDS. Specifically, the applications rely on client-provided 'epds_role_id' values without validating them on the server side. This trust in client input enables an authenticated attacker to escalate their privileges by altering the 'epds_role_id' parameter, potentially gaining unauthorized access or capabilities within the system. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. No official patch or remediation guidance has been published yet, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation allows an authenticated remote attacker to escalate privileges within the EPDS and EDS systems. This can lead to unauthorized access to sensitive information, modification of data, and disruption of system availability. The vulnerability affects confidentiality, integrity, and availability with high severity as indicated by the CVSS score of 8.8.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should consider restricting access to trusted users only and monitor for unusual privilege escalation attempts. Since no vendor advisory or patch links are provided, no specific remediation steps can be recommended at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisa-cg
- Date Reserved
- 2026-06-11T19:41:26.775Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a341e85f198dc38c11fcf4a
Added to database: 6/18/2026, 4:36:21 PM
Last enriched: 6/18/2026, 4:50:06 PM
Last updated: 6/19/2026, 3:14:37 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.