CVE-2026-45091

CRITICAL

sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-45091. PoCs published by HORKimhab.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-45091, which extracts TOTP secrets from JWT tokens used in the 'sealed-env' project. The exploit includes both a Bash script and a Node.js script to decode and parse the token payload to retrieve the TOTP secret.

Description

sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.

Exploits (1)

nomisec WORKING POC

by HORKimhab · poc

https://github.com/HORKimhab/CVE-2026-45091

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-45091, which extracts TOTP secrets from JWT tokens used in the 'sealed-env' project. The exploit includes both a Bash script and a Node.js script to decode and parse the token payload to retrieve the TOTP secret.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: sealed-env (version not specified)

Auth required

Prerequisites: valid JWT token with embedded TOTP secret

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 16, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/davidalmeidac/sealed-env/security/advisories/GHSA-x3r2-fj3r-g5mv

Scores

CVSS v3 9.1

EPSS 0.0001

EPSS Percentile 2.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-200 CWE-522

Status published

Products (3)

davidalmeidac/sealed-env < 0.1.0-alpha.4

io.github.davidalmeidac/sealed-env-core 0 - 0.1.0-alpha.4Maven

npm/sealed-env 0 - 0.1.0-alpha.4npm

Published May 12, 2026

Tracked Since May 12, 2026