Critical severity9.1GHSA Advisory· Published May 12, 2026· Updated May 13, 2026
CVE-2026-45091
CVE-2026-45091
Description
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sealed-envnpm | < 0.1.0-alpha.4 | 0.1.0-alpha.4 |
io.github.davidalmeidac:sealed-env-coreMaven | < 0.1.0-alpha.4 | 0.1.0-alpha.4 |
Affected products
3- Range: < 0.1.0-alpha.4
- ghsa-coords2 versions
< 0.1.0-alpha.4+ 1 more
- (no CPE)range: < 0.1.0-alpha.4
- (no CPE)range: < 0.1.0-alpha.4
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.