The U.S. GAO EPDS and CBCA EDS systems were susceptible to an authenticated privilege escalation vulnerability that could allow unauthorized users to gain elevated system access.

This vulnerability is a client-side parameter manipulation flaw (CWE-602) where the application fails to validate the 'epds_role_id' parameter. A remote, authenticated attacker can exploit this to escalate their privileges within the docketing environment.

The ability for an authenticated user to escalate privileges represents a significant threat to the integrity and confidentiality of sensitive government legal and contract documentation. Given the CVSS score of 8.8, this high-severity flaw poses a severe risk of unauthorized data access and potential manipulation of docketing records. Such a compromise could lead to significant reputational damage and the loss of trust in the security of government electronic filing systems.

Immediate Action: Verify that your environment is running the patched server-side versions (EPDS 2026-02-22 or later; EDS 2026-03-19 or later) as provided by the vendor.

Proactive Monitoring: Review audit logs for anomalous account activity or unexpected changes in user role assignments within the docketing application.

Compensating Controls: Ensure that all authorization checks are strictly enforced on the server side and that no client-side input is trusted for role-based access control decisions.

Public Exploit Available: false

While the vendor has remediated this issue server-side, it is imperative that organizations confirm their instances are fully updated to the latest versions. Developers and IT administrators should take this as a critical reminder to never trust client-supplied parameters for authorization, ensuring that all security-critical logic is handled exclusively on the backend to prevent similar escalation vectors.