External risk intelligence

GAO and CBCA Docketing Systems Password Change Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54103

The vulnerable component is a public-facing web-based docketing system designed for external users to interact with government legal processes. As an internet-accessible web application, the /update-profile/ endpoint is exposed to the public internet by design to facilitate user management.

Missing Authentication

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The U.S. Government Accountability Office and Civilian Board of Contract Appeals systems have a security flaw that allows anyone on the internet to change any user's password without needing to know the current password. This vulnerability affects the systems used for managing electronic dockets and profiles.

Unauthenticated users can change any profile password.
Confirms relevance and exposure of public-facing systems.
Verify impact on user accounts and data access.

Attack Path

How an attacker could exploit the issue

An attacker can target the GAO Electronic Protest Docketing System and the CBCA Electronic Docketing System by interacting with a specific API endpoint without needing any prior access or authentication. This vulnerability allows for unauthorized password changes for any user within the system.

Unauthenticated, remote access required.
Password change API endpoint is vulnerable.
Allows arbitrary user password modification.

Live Threat

Current exploitation, exposure, and threat context

An attacker could change any user's password on the Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) by exploiting a lack of authentication for password change requests to the '/update-profile/N' API endpoint. This could occur when the systems are operational and accessible via the internet.

User account credentials
Attacker sends unauthenticated requests
Unauthorized account access

Operational Fix

Recommended remediation, mitigation, and detection steps

The U.S. Government Accountability Office (GAO) and Civilian Board of Contract Appeals (CBCA) systems are likely managed by their respective IT and security teams. The first practical step is to identify all instances of these systems, confirm their accessibility and criticality, and locate the accountable owner to plan remediation based on risk.

Identify system owners and affected assets.
Verify system reachability and business criticality.
Plan remediation based on identified risks.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the GAO EPDS and CBCA EDS software?

These are web-based docketing platforms used for government legal proceedings. The Electronic Protest Docketing System (EPDS) and the Electronic Docketing System (EDS) allow authorized parties to manage protest filings and contract appeals. They function as centralized portals where users interact with case documentation and profile settings through an integrated web interface.

How does CWE-306 relate to CVE-2026-54103?

This CVE involves CWE-306, which refers to 'Missing Authentication for Critical Function.' In this specific case, the software fails to verify the identity of the person requesting a password change. Because this security control is absent, the system treats an unauthenticated request as legitimate, allowing the password for any user account to be altered without verification.

Does this vulnerability trigger via regular login screens?

No, the vulnerability is specific to the '/update-profile/N' API endpoint. It is triggered when a crafted request is sent directly to this specific path. Simply navigating to the standard login page or browsing the public-facing areas of the docketing system does not initiate the flaw; it requires a targeted interaction with the unauthenticated profile management function.

Is my system at risk according to Halo Surface Signal?

Yes, Halo Surface Signal identifies these systems as highly likely to be at risk because they are designed as public-facing web applications. Since the /update-profile/ endpoint is exposed to the internet to support remote user management for legal processes, it is inherently reachable by any remote actor without needing specialized network access.

What is the first step to address CVE-2026-54103?

You should begin by verifying whether your organization relies on these specific GAO or CBCA docketing systems. Once identified, confirm your system's current reachability and determine who is responsible for its technical maintenance. Reach out to the accountable IT or system security owner to coordinate response plans and ensure that any forthcoming updates or configuration changes are applied according to the official guidance provided for these platforms.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.