The U.S. Government Accountability Office (GAO)...
Critical severity
Unreviewed
Published
Jun 18, 2026
to the GitHub Advisory Database
•
Updated Jun 18, 2026
Description
Published by the National Vulnerability Database
Jun 18, 2026
Published to the GitHub Advisory Database
Jun 18, 2026
Last updated
Jun 18, 2026
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could change an arbitrary user's password.
References