CVE-2026-15389 in Sesame Timeinfo

Summary

by MITRE • 07/14/2026

A vulnerability relating to insufficient access control has been identified in the session management of the Sesame Time web application and its REST v3 API. The flaw lies in the fact that the system uses the session identifier (USID) as the sole validation mechanism, without verifying whether that identifier legitimately belongs to the user making the request. As a result, an attacker who obtains a valid USID can impersonate a victim’s session and access their confidential information, including emails, user IDs, roles and corporate data. This vulnerability is exacerbated by poor session lifecycle management: new logins generate additional USIDs without revoking the previous ones, allowing multiple active sessions to coexist and thereby expanding the attack surface.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability represents a critical insufficient access control flaw in the Sesame Time web application's session management system that directly violates fundamental security principles outlined in cwe 285 and cwe 306. The core technical issue stems from the application's reliance on session identifiers as the sole authentication mechanism without proper session validation procedures, creating an environment where session hijacking becomes trivial for attackers who can obtain valid user session tokens. The absence of session ownership verification means that any attacker possessing a legitimate USID token can seamlessly impersonate the associated user account and gain unauthorized access to sensitive corporate data including confidential emails, user identification information, role assignments, and proprietary business information.

The operational impact of this vulnerability extends beyond simple unauthorized access to encompass significant data breach risks and potential corporate espionage scenarios. Attackers can leverage this flaw to maintain persistent access to victim accounts while multiple active sessions coexist due to poor session lifecycle management practices that violate established security controls described in cwe 305. This creates a dangerous situation where legitimate users may unknowingly have their sessions compromised, and the system's inability to properly terminate old sessions while establishing new ones allows for extended periods of unauthorized access. The vulnerability aligns with attack techniques documented in the mitre att&ck framework under initial access and credential access phases, specifically targeting session management weaknesses that enable attackers to escalate privileges and maintain persistent access.

The root cause of this issue lies in the fundamental misunderstanding of session security principles where session identifiers are treated as sufficient authentication tokens rather than temporary access credentials requiring proper validation. This flaw represents a classic case of inadequate session management that allows for session fixation and hijacking attacks, where attackers can obtain valid session identifiers through various means such as network sniffing, cross-site scripting attacks, or other reconnaissance techniques. The lack of proper session binding to user context, IP addresses, or device fingerprints creates an environment where session tokens can be freely transferred between users without any verification process. Security controls should have implemented session validation procedures that verify token ownership before granting access, along with proper session termination mechanisms that revoke old sessions upon new login events to prevent the accumulation of active sessions that expand the potential attack surface.

Mitigation strategies must address both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities from recurring. The primary fix involves implementing robust session validation that verifies token ownership through additional authentication factors, including user context verification and proper session binding mechanisms. Organizations should implement session invalidation protocols that automatically terminate previous sessions upon new login attempts, ensuring that only the most recent active session remains valid. Additional security measures include implementing secure session storage with proper encryption, adding multi-factor authentication requirements for sensitive operations, and establishing comprehensive session monitoring capabilities to detect unusual access patterns. The solution must also incorporate proper session lifecycle management practices that align with industry standards such as those defined in owasp top ten and nist cybersecurity framework guidelines for secure session handling and user authentication controls.

Responsible

INCIBE

Reservation

07/10/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!