PatchSiren cyber security CVE debrief
CVE-2026-15389 Sesame Time CVE debrief
The CVE-2026-15389 vulnerability involves insufficient access control in the Sesame Time web application and its REST v3 API session management. The system relies solely on the session identifier (USID) for validation, without verifying if the USID belongs to the user making the request. This allows an attacker with a valid USID to impersonate a victim's session and access confidential information such as emails, user IDs, roles, and corporate data. The vulnerability is worsened by poor session lifecycle management, as new logins generate additional USIDs without revoking previous ones, allowing multiple active sessions to coexist and increasing the attack surface.
- Vendor
- Sesame Time
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Organizations using the Sesame Time web application and its REST v3 API should prioritize patching this vulnerability to prevent session impersonation attacks. Security teams and administrators responsible for web application security, particularly those handling user session management, should be aware of this issue and take immediate action to mitigate the risk.
Technical summary
The Sesame Time web application and its REST v3 API have a vulnerability (CVE-2026-15389) due to insufficient access control in session management. The system uses the session identifier (USID) as the sole validation mechanism without verifying its legitimacy for the user making the request. This flaw enables an attacker with a valid USID to impersonate a victim's session, granting access to sensitive information such as emails, user IDs, roles, and corporate data. The vulnerability is exacerbated by poor session lifecycle management, as new logins generate additional USIDs without revoking previous ones, allowing multiple active sessions to coexist and expanding the attack surface.
Defensive priority
High
Recommended defensive actions
- Apply the vendor's patch or recommended fix for the Sesame Time web application and its REST v3 API to address the insufficient access control vulnerability.
- Implement additional session management security measures, such as verifying user identity beyond just the session identifier (USID).
- Review and update session lifecycle management policies to ensure proper revocation of previous sessions upon new logins.
- Monitor for suspicious session activity and implement logging and alerting for potential impersonation attempts.
- Conduct a thorough review of the web application's access control mechanisms to identify and address any similar vulnerabilities.
Evidence notes
The CVE-2026-15389 vulnerability was identified in the Sesame Time web application and its REST v3 API. The flaw relates to insufficient access control in session management, allowing an attacker with a valid session identifier (USID) to impersonate a victim's session. The vulnerability is attributed to the system's reliance solely on the USID for validation without verifying its legitimacy for the user making the request. This issue is exacerbated by poor session lifecycle management practices. The CVE record was published on 2026-07-14T11:16:48.053Z and has not been modified since then. The NVD entry is currently in the 'Received' status.
Official resources
-
CVE-2026-15389 CVE record
CVE.org
-
CVE-2026-15389 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T11:16:48.053Z and has not been modified since then. The NVD entry is currently Received.