CVE-2026-45091— sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
In-the-Wild Activity Observed github_trending · low
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| davidalmeidac | sealed-env | < 0.1.0-alpha.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45091
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
Source: NVD (National Vulnerability Database)
Vulnerability Description
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
sealed-env 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
sealed-env是David Almeida个人开发者的一个跨平台零信任密钥管理库,支持加密存储与TOTP验证。 sealed-env 0.1.0-alpha.1版本至0.1.0-alpha.3版本存在信息泄露漏洞,该漏洞源于在企业模式下,每个生成的解封令牌的JWS有效载荷中嵌入了操作员的文字TOTP秘密,JWS有效载荷是base64编码的JSON而非加密,任何能观察到令牌的方都能解码有效载荷并以明文提取TOTP秘密。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| davidalmeidac | sealed-env | < 0.1.0-alpha.4 | - |
II. Public POCs for CVE-2026-45091
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45091
请登录查看更多情报信息。
Advisory · 1
IV. Related Vulnerabilities
Same weakness: CWE-200
- CVE-2026-6826
Concrete 9.5.0 and below has file usage disclosure via missi - CVE-2025-31985
HCL BigFix Service Management (SM) is affected by a security - CVE-2026-6728
Slider Revolution <= 7.0.9 - Unauthenticated Sensitive Infor - CVE-2026-5075
All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensi - CVE-2026-34970
MantisBT Bugnote Revision Page Leaks Private Issue Metadata
V. Comments for CVE-2026-45091
No comments yet