Insufficient Access Control in Sesame Time Web Application
CVE-2026-15389

8.7HIGH

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-15389?

A critical flaw in the session management of the Sesame Time web application and its REST v3 API has been identified, which relies solely on the session identifier (USID) for validation of user requests. This insufficient access control allows attackers who gain access to a valid USID to impersonate user sessions and potentially access sensitive information, including emails and corporate data. Compounding the issue, poor session lifecycle management permits multiple USIDs to remain active simultaneously, increasing the risk of unauthorized access.

Affected Version(s)

Sesame Time 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Miguel Jiménez Cámara
.