Skip to main content

Sesame Time

1 CVEs product

Monthly

CVE-2026-15389 HIGH This Week

Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Sesame Time
NVD
CVSS 4.0
8.7
EPSS
0.3%
EPSS 0% CVSS 8.7
HIGH This Week

Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Sesame Time
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy