Description
The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints.

This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Published: 2026-06-19
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GridTime 3000 GNSS Time Server versions 1.0r0.03 through 1.1r0.0 inadvertently expose the access token in the URI query string of certain endpoints. The leakage lets an attacker acquire the token, which can be used to authenticate to the device and gain unauthorized access, thereby compromising confidentiality and integrity. The flaw is an information‑disclosure vulnerability (CWE‑200).

Affected Systems

The affected devices are Microchip GridTime 3000 GNSS Time Servers running firmware versions 1.0r0.03 up to and including 1.1r0.0. Firmware 1.2r0.0 and later have removed the token from URL parameters.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation at present. Exploitation likely requires network connectivity to the device and the ability to observe or capture the request URLs – for example, via traffic monitoring, log inspection, or direct interaction with the affected endpoints. Successful discovery of the token would permit the attacker to authenticate and potentially access restricted functionality.

Generated by OpenCVE AI on June 19, 2026 at 20:57 UTC.

Remediation

Vendor Solution

Upgrade GridTime 3000 GNSS Time Server to the latest firmware. As of the firmware release 1.2r0.0, Access tokens have been removed from URL parameters on affected endpoints.


OpenCVE Recommended Actions

  • Upgrade the GridTime 3000 GNSS Time Server firmware to 1.2r0.0 or later to remove the token from URLs.
  • Restrict network access to the device so only trusted hosts or internal networks can reach the affected endpoints.
  • Configure logging to exclude request URLs that contain authentication tokens, or purge existing logs that may contain exposed tokens.

Generated by OpenCVE AI on June 19, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Microchip
Microchip gridtime 3000
Vendors & Products Microchip
Microchip gridtime 3000

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Title Access Token Exposure in URL Parameters in GridTime™ 3000 GNSS Time Server
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A'}


Subscriptions

Microchip Gridtime 3000
cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-06-29T05:22:09.732Z

Reserved: 2026-06-18T14:15:03.036Z

Link: CVE-2026-12620

cve-icon Vulnrichment

Updated: 2026-06-22T16:52:53.157Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:30Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor