Skip to main content

Sesame Time CVE-2026-15389

| EUVDEUVD-2026-43657 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-14 INCIBE GHSA-98qr-jpxv-vfp8
8.7
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable API, low complexity, and no privilege to the target account (USID acts as an unbound bearer key) give PR:N; impact is confidentiality-only, so I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 10:49 vuln.today
CVE Published
Jul 14, 2026 - 10:10 cve.org
HIGH 8.7

DescriptionCVE.org

A vulnerability relating to insufficient access control has been identified in the session management of the Sesame Time web application and its REST v3 API. The flaw lies in the fact that the system uses the session identifier (USID) as the sole validation mechanism, without verifying whether that identifier legitimately belongs to the user making the request. As a result, an attacker who obtains a valid USID can impersonate a victim’s session and access their confidential information, including emails, user IDs, roles and corporate data. This vulnerability is exacerbated by poor session lifecycle management: new logins generate additional USIDs without revoking the previous ones, allowing multiple active sessions to coexist and thereby expanding the attack surface.

AnalysisAI

Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid victim USID
Exploit
Replay USID to REST v3 API
Execution
API validates token without ownership check
Impact
Retrieve victim emails, IDs, roles, corporate data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid, active USID session identifier for a target account; the flaw is that the Sesame Time web app and REST v3 API validate this USID as the sole credential without confirming it belongs to the requester, so any obtained USID grants access to that victim's data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor/reporter (INCIBE) supplies a CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N scoring 8.7 (High), reflecting network reach, low complexity, no privileges, no user interaction, and high confidentiality impact with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker captures a valid USID belonging to a Sesame Time user - for example through network interception, a leaked log, or a shared/exposed link - and replays it against the REST v3 API. Because the API validates only that the USID is well-formed and active, not that it belongs to the caller, the attacker retrieves the victim's emails, user ID, role, and corporate data. …
Remediation No vendor-released patch version was identified at time of analysis; consult the INCIBE-CERT advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-sesame-time-session-management) and the vendor for a fixed release, since this is a server-side SaaS flaw that must ultimately be corrected by the provider by binding each USID to its owning user and enforcing object-level authorization on every REST v3 API call. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: perform inventory of all active Sesame Time sessions and implement enhanced monitoring for anomalous cross-user session access patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy