Introduction:
During a security engagement, Leo Diamat discovered that the GridTime 3000 GNSS Time Server web application transmitted session access tokens via URL query string parameters on multiple endpoints. Because URLs are routinely logged, cached, and forwarded by browsers, proxies, and servers, this exposes access tokens to disclosure through channels outside the application's intended security boundary.
This vulnerability affects GridTime 3000 firmware 1.0r0.03 through 1.1r0.0 and was assigned CVE-2026-12620 and has a CVSS score of 4.6 (Medium) (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A).
This post outlines the technical details of this vulnerability, how it could be exploited and the potential impact to users. This issue has been resolved in firmware release 1.2r0.0.
The Vulnerability:
The GridTime 3000 web application passed the user's access token as a URL query parameter (authorization=<access_token>) rather than transmitting it via an HTTP header (e.g. Authorization: Bearer<token>) or a secure, HttpOnly cookie. As a result, the token wase xposed in several locations outside the application's control, including:
- Browser history and address bar
- Web server access logs
- Proxy and load balancer logs
- The Referer header sent to third-party resources loaded from the same page
- Browser cache and autocomplete storage
An attacker with access to any of these locations (e.g. a shared workstation, a compromised logging system, or a malicious/compromised third-party resource loaded by the page) could extract a valid access token and replay it to impersonate the authenticated user, without needing to intercept network traffic directly.
The following endpoints were confirmed to leak access tokens via the URL:
- /api/configuration?authorization=<access_token>
- /api/logs/download?authorization=<access_token>
The screenshot below demonstrates the access token being disclosed in the URL when downloading the device configuration:

Impact:
An attacker who is able to gain access to a disclosed access token (for example, via shared logs, browser history on a shared device, or an exposed Referer header) could replay it to gain limited unauthorised access to configuration or log data. Exploitation requires an already-privileged position and some degree of user interaction, which limits the practical severity of this issue, as reflected in the CVSS score.
Recommendation:
- Upgrade to firmware release 1.2r0.0 or later, in which this issue has been resolved.
Disclosure Timeline:
- February 24th, 2026: Issue reported to the GridTime 3000 Security Team (PSIRT)
- February 25th, 2026: Issue acknowledged and PSIRT-127 assigned
- June 21st, 2026:CVE-2026-12620 assigned
- June 21st, 2026: Fix released in firmware 1.2r0.0
- July 8th 2026: Advisory Live