PatchSiren

Sesame Time CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Sesame Time CVE published 2026-07-14

CVE-2026-15389

The CVE-2026-15389 vulnerability involves insufficient access control in the Sesame Time web application and its REST v3 API session management. The system relies solely on the session identifier (USID) for validation, without verifying if the USID belongs to the user making the request. This allows an attacker with a valid USID to impersonate a victim's session and access confidential information such as [truncated]