CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens
Vulnerability ID: CVE-2026-45091
CVSS Score: 9.1
Published: 2026-05-12
The sealed-env library incorrectly embeds operator TOTP secrets in the unencrypted Base64-encoded payload of minted JWS tokens, allowing unauthenticated attackers to extract credentials and bypass multi-factor authentication controls.
TL;DR
Versions 0.1.0-alpha.1 through 0.1.0-alpha.3 of the sealed-env library suffer from a critical flaw where JWS token payloads contain plaintext TOTP secrets, facilitating trivial MFA bypasses.
⚠️ Exploit Status: POC
Technical Details
- CVSS Score: 9.1 (CRITICAL)
- Attack Vector: Network
- CWE ID: CWE-200, CWE-522
- Privileges Required: None
- Affected Versions: 0.1.0-alpha.1 - 0.1.0-alpha.3
- CISA KEV: Not Listed
Affected Systems
- sealed-env Node.js SDK
- sealed-env Java Spring Boot integration
-
sealed-env: >= 0.1.0-alpha.1, <= 0.1.0-alpha.3 (Fixed in:
0.1.0-alpha.4)
Mitigation Strategies
- Upgrade the sealed-env library to version 0.1.0-alpha.4.
- Rotate all TOTP secrets for operator accounts.
- Purge CI/CD logs, container dumps, and monitoring systems containing legacy unseal tokens.
Remediation Steps:
- Identify all Node.js and Java Spring Boot applications running sealed-env versions 0.1.0-alpha.1 through 0.1.0-alpha.3.
- Update dependencies in package.json or pom.xml/build.gradle to target sealed-env version 0.1.0-alpha.4.
- Deploy the updated application to production environments.
- Access the sealed-env administrative interface and invalidate all existing operator TOTP configurations.
- Require operators to register new TOTP credentials.
- Search centralized logging systems and CI/CD pipelines for existing JWS tokens and delete the offending records.
References
Read the full report for CVE-2026-45091 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)