CVE-2026-15389

Sesame · Sesame Time

Sesame Time contains an authorization bypass vulnerability in its session management and REST v3 API, allowing unauthenticated attackers to access unauthorized information.

Executive summary

An unauthenticated authorization bypass in Sesame Time poses a critical risk of unauthorized data access due to flaws in session management and API controls.

Vulnerability

This is an authorization bypass vulnerability (CWE-639) where user-controlled keys are not properly validated. The vulnerability is exploitable by unauthenticated remote attackers via the web application or REST v3 API.

Business impact

The vulnerability allows unauthorized parties to access sensitive data associated with other users or organizational records. Given the CVSS score of 8.7, this represents a high-severity risk that could lead to significant data breaches, loss of customer trust, and non-compliance with data protection regulations.

Remediation

Immediate Action: Update to the latest version of Sesame Time as provided by the vendor, which includes strengthened authorization checks and improved session management.

Proactive Monitoring: Review application and API access logs for unusual patterns, such as multiple session requests originating from a single source or attempts to access resources with arbitrary user keys.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious API calls and enforce strict session validation patterns.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is highly critical due to its unauthenticated nature and potential for direct data exfiltration. Organizations using Sesame Time must prioritize updating to the latest version to ensure that server-side authorization checks are correctly enforced for all session-based requests.