CVE-2026-45091
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.1EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
12 May 2026Published on NVD
16 May 2026Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
davidalmeidac · sealed-envpublic PoCs found — 1
githubgithub.com/HORKimhab/CVE-2026-45091★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →