CVE-2026-45091: Critical Secret Exposure in sealed-env Library
The National Vulnerability Database has detailed CVE-2026-45091, a critical vulnerability (CVSS 9.1) in the sealed-env Node.js and Java/Spring Boot secret management library. Specifically, sealed-env in enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3, inadvertently embedded the operator’s literal Time-based One-Time Password (TOTP) secret directly into the JSON Web Signature (JWS) payload of every unseal token. This JWS payload is base64-encoded JSON, not encrypted.
This design flaw means that any entity capable of observing a minted unseal token could decode its payload and extract the sensitive TOTP secret in plaintext. The exposure vectors are alarmingly broad, including CI build logs, container environment dumps, kubectl describe pod output, Sentry or Rollbar stack traces, and centralized log aggregators. This is a fundamental breakdown in secret integrity.
Attackers don’t need to bypass encryption or exploit complex logic; they just need observation. The fix, available in sealed-env version 0.1.0-alpha.4, addresses this by preventing the embedding of the TOTP secret. This is a stark reminder that ‘security by obscurity’ with base64 encoding is not security at all, especially for critical authentication material.
What This Means For You
- If your organization uses `sealed-env` in enterprise mode, specifically versions 0.1.0-alpha.1 through 0.1.0-alpha.3, you are exposed. Immediately upgrade to version 0.1.0-alpha.4. Furthermore, assume any TOTP secrets used with these vulnerable versions have been compromised. Rotate these secrets immediately and audit all logs for any instances where unseal tokens may have been exposed. This vulnerability provides a direct pathway to critical system access.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-45091: Exposure of TOTP Secret in sealed-env JWS Payload
title: CVE-2026-45091: Exposure of TOTP Secret in sealed-env JWS Payload
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects the exposure of the TOTP secret within the JWS payload by looking for requests to the sealed-env token endpoint that contain a JWS header indicative of the vulnerable versions. The JWS payload is base64-encoded JSON and not encrypted, allowing any observer to decode it and extract the TOTP secret if they can access the token.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45091/
tags:
- attack.credential_access
- attack.t1539
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/.well-known/sealer/token'
cs-uri-query|contains:
- 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45091 | Information Disclosure | sealed-env library versions 0.1.0-alpha.1 through 0.1.0-alpha.3 |
| CVE-2026-45091 | Information Disclosure | TOTP secret embedded in JWS payload of unseal tokens |
| CVE-2026-45091 | Information Disclosure | JWS payload is base64-encoded JSON, not encrypted |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 17:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Ivanti Endpoint Manager RCE via SQL Injection (CVE-2026-8111)
CVE-2026-8111 — SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
Ivanti Endpoint Manager Privilege Escalation (CVE-2026-8110)
CVE-2026-8110 — Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.