CVE-2026-45091 Overview
CVE-2026-45091 is a critical information disclosure vulnerability in sealed-env, a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embed the operator's literal Time-based One-Time Password (TOTP) secret in the JSON Web Signature (JWS) payload of every minted unseal token. JWS payloads are base64-encoded JSON, not encrypted. Any actor with access to a minted token can decode the payload and recover the TOTP seed in plaintext. The flaw is fixed in version 0.1.0-alpha.4. The issue is categorized under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Unseal tokens leaking through CI logs, container env dumps, error tracking platforms, or log aggregators expose the operator TOTP seed, defeating multi-factor protection around sealed secrets.
Affected Products
- sealed-env 0.1.0-alpha.1 (enterprise mode)
- sealed-env 0.1.0-alpha.2 (enterprise mode)
- sealed-env 0.1.0-alpha.3 (enterprise mode)
Discovery Timeline
- 2026-05-12 - CVE-2026-45091 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45091
Vulnerability Analysis
The vulnerability sits in the unseal token minting path of sealed-env enterprise mode. When the library issues an unseal token, it constructs a JWS and places the operator's raw TOTP secret directly into the token payload. JWS signs and base64url-encodes the payload but does not encrypt it. Anyone who reads the token can decode the middle segment and recover the TOTP seed as plaintext JSON.
The TOTP seed is the long-lived factor in any TOTP authentication scheme. Once disclosed, the attacker can generate valid one-time codes indefinitely until the seed is rotated. This breaks the second factor that gates the sealed secret material the library is designed to protect.
The attack does not require privileges or user interaction. An observer who captures the token through any side channel can recover the secret offline.
Root Cause
The root cause is a design error: storing high-value cryptographic material inside the JWS payload rather than treating the payload as public data. JWS guarantees integrity and authenticity through its signature, but the payload is readable by anyone. The fix in 0.1.0-alpha.4 removes the TOTP seed from the token payload.
Attack Vector
Exposure surfaces include CI build logs, container environment dumps, kubectl describe pod output, Sentry and Rollbar stack traces, and centralized log aggregators. Any operational telemetry that captures the unseal token text becomes a credential leak. An attacker with read access to those systems decodes the token's payload segment with standard base64 tooling and extracts the TOTP secret without further interaction.
See the GitHub Security Advisory GHSA-x3r2-fj3r-g5mv for vendor details.
Detection Methods for CVE-2026-45091
Indicators of Compromise
- Unseal tokens issued by sealed-env versions 0.1.0-alpha.1 through 0.1.0-alpha.3 recorded in build logs, pod descriptions, or error trackers.
- Successful TOTP-gated unseal operations from unexpected source IPs or service accounts following a token exposure event.
- Access patterns to log aggregators or APM platforms that scrape JWS-shaped strings (eyJ...).
Detection Strategies
- Scan log archives, CI artifact storage, and error tracking backends for JWS tokens issued by sealed-env, decoding the payload segment to confirm presence of a totp or equivalent secret field.
- Inventory all repositories and deployments using sealed-env and pin the installed version against the fixed release 0.1.0-alpha.4.
- Alert on TOTP validation events that succeed from previously unseen client identifiers after token-exposing incidents.
Monitoring Recommendations
- Enable secret scanning on source repositories, CI logs, and ticketing systems for base64url payloads containing TOTP seed patterns.
- Forward unseal authentication events to a centralized analytics pipeline and track first-seen actors and geolocations for each operator identity.
- Audit redaction filters in Sentry, Rollbar, and log shippers to confirm that tokens labeled as bearer or unseal material are stripped before storage.
How to Mitigate CVE-2026-45091
Immediate Actions Required
- Upgrade sealed-env to version 0.1.0-alpha.4 or later across all Node.js and Java/Spring Boot services in enterprise mode.
- Rotate every operator TOTP secret that was ever bound to a token minted by an affected version. Treat the prior seeds as compromised.
- Purge captured unseal tokens from CI logs, container runtime logs, APM error reports, and log aggregator indices.
Patch Information
The maintainer fixed CVE-2026-45091 in sealed-env0.1.0-alpha.4 by removing the TOTP secret from the JWS payload. Refer to the GitHub Security Advisory GHSA-x3r2-fj3r-g5mv for release notes and upgrade guidance.
Workarounds
- If immediate upgrade is not possible, disable enterprise mode token minting until the fixed version is deployed.
- Restrict who can read CI logs, pod descriptions, and error tracking projects to limit exposure of any tokens issued by affected versions.
- Configure log redaction rules to strip JWS-shaped strings (eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+) before they reach persistent storage.
# Upgrade sealed-env to the fixed release
npm install sealed-env@0.1.0-alpha.4
# Java/Spring Boot (Maven): pin the fixed version in pom.xml
# <dependency>
# <groupId>dev.sealedenv</groupId>
# <artifactId>sealed-env</artifactId>
# <version>0.1.0-alpha.4</version>
# </dependency>
# Verify no affected versions remain
npm ls sealed-env | grep -E '0\.1\.0-alpha\.[1-3]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
