Insufficient Access Control in Sesame Time Web Application
CVE-2026-15389
8.7HIGH
What is CVE-2026-15389?
A critical flaw in the session management of the Sesame Time web application and its REST v3 API has been identified, which relies solely on the session identifier (USID) for validation of user requests. This insufficient access control allows attackers who gain access to a valid USID to impersonate user sessions and potentially access sensitive information, including emails and corporate data. Compounding the issue, poor session lifecycle management permits multiple USIDs to remain active simultaneously, increasing the risk of unauthorized access.
Affected Version(s)
Sesame Time 0
