Bastion Security

Access Token Exposure in URL Parameters in GridTime™ 3000 GNSS Time Server - (CVE-2026-12620)

During a security engagement, Leo Diamat discovered that the GridTime 3000 GNSS Time Server web application transmitted session access tokens via URL query string parameters on multiple endpoints.
Talk to an expert

During a security engagement, Leo Diamat discovered that the GridTime 3000 GNSS Time Server web application transmitted session access tokens via URL query string parameters on multiple endpoints. Because URLs are routinely logged, cached, and forwarded by browsers, proxies, and servers, this exposes access tokens to disclosure through channels outside the application's intended security boundary.

This vulnerability affects GridTime 3000 firmware 1.0r0.03 through 1.1r0.0 and was assigned CVE-2026-12620 and has a CVSS score of 4.6 (Medium) (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A).

This post outlines the technical details of this vulnerability, how it could be exploited and the potential impact to users. This issue has been resolved in firmware release 1.2r0.0.

July 8, 2026

Introduction:

During a security engagement, Leo Diamat discovered that the GridTime 3000 GNSS Time Server web application transmitted session access tokens via URL query string parameters on multiple endpoints. Because URLs are routinely logged, cached, and forwarded by browsers, proxies, and servers, this exposes access tokens to disclosure through channels outside the application's intended security boundary.

This vulnerability affects GridTime 3000 firmware 1.0r0.03 through 1.1r0.0 and was assigned CVE-2026-12620 and has a CVSS score of 4.6 (Medium) (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A).

This post outlines the technical details of this vulnerability, how it could be exploited and the potential impact to users. This issue has been resolved in firmware release 1.2r0.0.

The Vulnerability:

The GridTime 3000 web application passed the user's access token as a URL query parameter (authorization=<access_token>) rather than transmitting it via an HTTP header (e.g. Authorization: Bearer<token>) or a secure, HttpOnly cookie. As a result, the token wase xposed in several locations outside the application's control, including:

  • Browser history and address bar
  • Web server access logs
  • Proxy and load balancer logs
  • The Referer header sent to third-party resources loaded from the same page
  • Browser cache and autocomplete storage

An attacker with access to any of these locations (e.g. a shared workstation, a compromised logging system, or a malicious/compromised third-party resource loaded by the page) could extract a valid access token and replay it to impersonate the authenticated user, without needing to intercept network traffic directly.

The following endpoints were confirmed to leak access tokens via the URL:

  • /api/configuration?authorization=<access_token>
  • /api/logs/download?authorization=<access_token>

The screenshot below demonstrates the access token being disclosed in the URL when downloading the device configuration:

CVE-2026-12620

Impact:

An attacker who is able to gain access to a disclosed access token (for example, via shared logs, browser history on a shared device, or an exposed Referer header) could replay it to gain limited unauthorised access to configuration or log data. Exploitation requires an already-privileged position and some degree of user interaction, which limits the practical severity of this issue, as reflected in the CVSS score.

Recommendation:

  • Upgrade to firmware release 1.2r0.0 or later, in which this issue has been resolved.

Disclosure Timeline:

  • February 24th, 2026: Issue reported to the GridTime 3000 Security Team (PSIRT)
  • February 25th, 2026: Issue acknowledged and PSIRT-127 assigned
  • June 21st, 2026:CVE-2026-12620 assigned
  • June 21st, 2026: Fix released in firmware 1.2r0.0
  • July 8th 2026: Advisory Live

Service Development Manager
Government Agency
"Great service, clear, detailed and precise information on what our vulnerabilities were and what needs addressing. Couldn't have been easier to deal with and very professional."
Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert
Employee Cyber Training & Awareness
Your people are your first line of defence. Our cyber training builds awareness and sharpens their instincts.
Advisory
When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making.