CVE-2026-45091

sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)

Assigner: GitHub_M
Reserved: 08.05.2026 Published: 12.05.2026 Updated: 12.05.2026

sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	davidalmeidac
Product	sealed-env
Versions	Version < 0.1.0-alpha.4 is affected

Vendor

davidalmeidac

Product

sealed-env

Versions

Version < 0.1.0-alpha.4 is affected

References

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-522: Insufficiently Protected Credentials CWE

CVE-2026-45091 PUBLISHED

sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)

Metrics

Product Status

References

Problem Types