EXECUTIVE SUMMARY:
CVE-2026-45091 with a CVSS score of 9.1 is a critical vulnerability in sealed-env, a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot, affecting versions , and also impacting the io.github.davidalmeidac:sealed-env-core package in maven, specifically versions. The vulnerability, which was discovered through the decoding of a real minted token, allows an attacker with access to a leaked unseal token and the master key to extract the TOTP secret in plaintext from the JWS payload, which is base64-encoded JSON and not encrypted. This secret can then be used to mint new valid unseal tokens for any future deploy indefinitely, breaking the second-factor property the library claimed. An attacker can exploit this vulnerability by accessing a leaked unseal token and the master key, and requires no user interaction or privileges. The business impact of this vulnerability is significant, as an attacker can gain the capability to bypass the second-factor authentication mechanism, potentially leading to unauthorized access to sensitive information and compromising the security of the system. The attacker gains the ability to mint new valid unseal tokens and break the second-factor property of the library, which can result in the exposure of sensitive information and potential system compromise.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45091 with a CVSS score of 9.1 is a critical vulnerability in sealed-env, a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot, affecting versions , and also impacting the io.github.davidalmeidac:sealed-env-core package in maven, specifically versions. The vulnerability, which was discovered through the decoding of a real minted token, allows an attacker with access to a leaked unseal token and the master key to extract the TOTP secret in plaintext from the JWS payload, which is base64-encoded JSON and not encrypted. This secret can then be used to mint new valid unseal tokens for any future deploy indefinitely, breaking the second-factor property the library claimed. An attacker can exploit this vulnerability by accessing a leaked unseal token and the master key, and requires no user interaction or privileges. The business impact of this vulnerability is significant, as an attacker can gain the capability to bypass the second-factor authentication mechanism, potentially leading to unauthorized access to sensitive information and compromising the security of the system. The attacker gains the ability to mint new valid unseal tokens and break the second-factor property of the library, which can result in the exposure of sensitive information and potential system compromise.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update sealed-env to below version: https://github.com/advisories/GHSA-x3r2-fj3r-g5mv
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-x3r2-fj3r-g5mv