Description
The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints.

This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Published: 2026-06-19
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GridTime 3000 GNSS Time Server versions 1.0r0.03 through 1.1r0.0 inadvertently expose the access token in the URI query string of certain endpoints. The leakage lets an attacker acquire the token, which can be used to authenticate to the device and gain unauthorized access, thereby compromising confidentiality and integrity. The flaw is an information‑disclosure vulnerability (CWE‑200).

Affected Systems

The affected devices are Microchip GridTime 3000 GNSS Time Servers running firmware versions 1.0r0.03 up to and including 1.1r0.0. Firmware 1.2r0.0 and later have removed the token from URL parameters.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation at present. Exploitation likely requires network connectivity to the device and the ability to observe or capture the request URLs – for example, via traffic monitoring, log inspection, or direct interaction with the affected endpoints. Successful discovery of the token would permit the attacker to authenticate and potentially access restricted functionality.

Generated by OpenCVE AI on June 19, 2026 at 20:00 UTC.

Remediation

Vendor Solution

Upgrade GridTime 3000 GNSS Time Server to the latest firmware. As of the firmware release 1.2r0.0, Access tokens have been removed from URL parameters on affected endpoints.

OpenCVE Recommended Actions

  • Upgrade the GridTime 3000 GNSS Time Server firmware to 1.2r0.0 or later to remove the token from URLs.
  • Restrict network access to the device so only trusted hosts or internal networks can reach the affected endpoints.
  • Configure logging to exclude request URLs that contain authentication tokens, or purge existing logs that may contain exposed tokens.

Generated by OpenCVE AI on June 19, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Title Access Token Exposure in URL Parameters in GridTime™ 3000 GNSS Time Server
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-06-19T16:00:10.506Z

Reserved: 2026-06-18T14:15:03.036Z

Link: CVE-2026-12620

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor