CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens

Vulnerability ID: CVE-2026-45091
CVSS Score: 9.1
Published: 2026-05-12

The sealed-env library incorrectly embeds operator TOTP secrets in the unencrypted Base64-encoded payload of minted JWS tokens, allowing unauthenticated attackers to extract credentials and bypass multi-factor authentication controls.

TL;DR

Versions 0.1.0-alpha.1 through 0.1.0-alpha.3 of the sealed-env library suffer from a critical flaw where JWS token payloads contain plaintext TOTP secrets, facilitating trivial MFA bypasses.

⚠️ Exploit Status: POC

Technical Details

• CVSS Score: 9.1 (CRITICAL)
• Attack Vector: Network
• CWE ID: CWE-200, CWE-522
• Privileges Required: None
• Affected Versions: 0.1.0-alpha.1 - 0.1.0-alpha.3
• CISA KEV: Not Listed

Affected Systems

• sealed-env Node.js SDK
• sealed-env Java Spring Boot integration
• sealed-env: >= 0.1.0-alpha.1, <= 0.1.0-alpha.3 (Fixed in: 0.1.0-alpha.4)

Mitigation Strategies

• Upgrade the sealed-env library to version 0.1.0-alpha.4.
• Rotate all TOTP secrets for operator accounts.
• Purge CI/CD logs, container dumps, and monitoring systems containing legacy unseal tokens.

Remediation Steps:

1. Identify all Node.js and Java Spring Boot applications running sealed-env versions 0.1.0-alpha.1 through 0.1.0-alpha.3.
2. Update dependencies in package.json or pom.xml/build.gradle to target sealed-env version 0.1.0-alpha.4.
3. Deploy the updated application to production environments.
4. Access the sealed-env administrative interface and invalidate all existing operator TOTP configurations.
5. Require operators to register new TOTP credentials.
6. Search centralized logging systems and CI/CD pipelines for existing JWS tokens and delete the offending records.

References

• GHSA Advisory
• NVD Entry
• CVE Record

Read the full report for CVE-2026-45091 on our website for more details including interactive diagrams and full exploit analysis.