We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
Cross-reference search

PSIRT-145: GridTime™ 3000 GNSS Time Server Access Token Exposure

Vulnerability Details

Access Token Exposure in URL Parameters in GridTime™ 3000 GNSS Time Server

Several endpoints leaked the access token when accessed in the GridTime 3000 GNSS Time Server. This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0.

Date of Disclosure: 06/10/2026

Affected Product:  GridTime 3000 GNSS Time Server

  • Vulnerability Type: Access token exposure
  • CVE Identifier: CVE-2026-145
  • CVSS Score:  CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A
    CVSS 4.0 Score: 4.6 / Medium 
  • Vulnerability Description:
    • The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints
  • Affected Versions: 
    • Firmware 1.0r0.03 through 1.1r0.0
  • Vulnerability Status: 
    • Resolved in firmware release 1.2r0.0

Risk Assessment

Exploitation of the vulnerability allows an attacker with valid credentials to use the access token to impersonate a legitimate user.

Mitigation

Upgrade GridTime 3000 GNSS Time Server to the latest firmware

Patch/Release Information

As of the firmware release 1.2r0.0, Access tokens have been removed from URL parameters on affected endpoints.

Recommendations

It is strongly recommended that all customers upgrade GridTime 3000 GNSS Time Server to firmware version 1.2r0.0 or newer.

Live Chat

Need Help?

Privacy Policy