{"uuid": "b61a14a6-c5aa-4d45-b16b-62a7b04d04a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45091", "type": "seen", "source": "https://gist.github.com/alon710/001644e5a9eb201b408c3975d7ef4c5c", "content": "# CVE-2026-45091: CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens\n\n&gt; **CVSS Score:** 9.1\n&gt; **Published:** 2026-05-12\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-45091\n\n## Summary\nThe sealed-env library incorrectly embeds operator TOTP secrets in the unencrypted Base64-encoded payload of minted JWS tokens, allowing unauthenticated attackers to extract credentials and bypass multi-factor authentication controls.\n\n## TL;DR\nVersions 0.1.0-alpha.1 through 0.1.0-alpha.3 of the sealed-env library suffer from a critical flaw where JWS token payloads contain plaintext TOTP secrets, facilitating trivial MFA bypasses.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CVSS Score**: 9.1 (CRITICAL)\n- **Attack Vector**: Network\n- **CWE ID**: CWE-200, CWE-522\n- **Privileges Required**: None\n- **Affected Versions**: 0.1.0-alpha.1 - 0.1.0-alpha.3\n- **CISA KEV**: Not Listed\n\n## Affected Systems\n\n- sealed-env Node.js SDK\n- sealed-env Java Spring Boot integration\n- **sealed-env**: &gt;= 0.1.0-alpha.1, &lt;= 0.1.0-alpha.3 (Fixed in: `0.1.0-alpha.4`)\n\n## Mitigation\n\n- Upgrade the sealed-env library to version 0.1.0-alpha.4.\n- Rotate all TOTP secrets for operator accounts.\n- Purge CI/CD logs, container dumps, and monitoring systems containing legacy unseal tokens.\n\n**Remediation Steps:**\n1. Identify all Node.js and Java Spring Boot applications running sealed-env versions 0.1.0-alpha.1 through 0.1.0-alpha.3.\n2. Update dependencies in package.json or pom.xml/build.gradle to target sealed-env version 0.1.0-alpha.4.\n3. Deploy the updated application to production environments.\n4. Access the sealed-env administrative interface and invalidate all existing operator TOTP configurations.\n5. Require operators to register new TOTP credentials.\n6. Search centralized logging systems and CI/CD pipelines for existing JWS tokens and delete the offending records.\n\n## References\n\n- [GHSA Advisory](https://github.com/davidalmeidac/sealed-env/security/advisories/GHSA-x3r2-fj3r-g5mv)\n- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-45091)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-45091)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45091) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-12T16:10:29.000000Z"}