CVE-2026-15389
Sesame · Sesame Time
Sesame Time contains an authorization bypass vulnerability in its session management and REST v3 API, allowing unauthenticated attackers to access unauthorized information.
Executive summary
An unauthenticated authorization bypass in Sesame Time poses a critical risk of unauthorized data access due to flaws in session management and API controls.
Vulnerability
This is an authorization bypass vulnerability (CWE-639) where user-controlled keys are not properly validated. The vulnerability is exploitable by unauthenticated remote attackers via the web application or REST v3 API.
Business impact
The vulnerability allows unauthorized parties to access sensitive data associated with other users or organizational records. Given the CVSS score of 8.7, this represents a high-severity risk that could lead to significant data breaches, loss of customer trust, and non-compliance with data protection regulations.
Remediation
Immediate Action: Update to the latest version of Sesame Time as provided by the vendor, which includes strengthened authorization checks and improved session management.
Proactive Monitoring: Review application and API access logs for unusual patterns, such as multiple session requests originating from a single source or attempts to access resources with arbitrary user keys.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious API calls and enforce strict session validation patterns.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability is highly critical due to its unauthenticated nature and potential for direct data exfiltration. Organizations using Sesame Time must prioritize updating to the latest version to ensure that server-side authorization checks are correctly enforced for all session-based requests.