CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens

The sealed-env library provides zero-trust secret management capabilities for Node.js and Java Spring Boot applications. In its enterprise mode, the system utilizes JSON Web Signatures (JWS) to issue unseal tokens to authorized operators. These tokens are required to perform administrative actions and decrypt environment-specific secrets.

The vulnerability, designated as CVE-2026-45091, stems from the insecure construction of these unseal tokens. The minting process embeds the operator's literal Time-based One-Time Password (TOTP) secret directly into the token's payload. This design flaw is classified under CWE-200 (Exposure of Sensitive Information) and CWE-522 (Insufficiently Protected Credentials).

Because JWS payloads are encoded rather than encrypted, this sensitive data is exposed to any entity that can read the token string. The resulting exposure enables unauthorized actors to fully bypass multi-factor authentication requirements for the secret management infrastructure.

The core engineering failure in CVE-2026-45091 involves a misunderstanding of the JWS (JSON Web Signature) standard. A JWS token consists of three components separated by periods: a header, a payload, and a signature. The header and payload are strictly Base64Url-encoded, providing structural integrity but zero confidentiality.

During the token generation phase in vulnerable versions of sealed-env, the software populates the JSON payload with operator claims. The code directly assigns the operator's TOTP secret key to a field within this JSON structure. This payload is then Base64Url-encoded and cryptographically signed by the server.

While the cryptographic signature prevents tampering with the token, it does nothing to obscure the contents. The system should have utilized JWE (JSON Web Encryption) if sensitive state needed to be passed to the client, or preferably maintained the TOTP secret securely on the server side, referencing it only via an opaque identifier.

Exploitation of CVE-2026-45091 requires no specialized tools and relies entirely on standard string manipulation. An attacker must first acquire a minted unseal token. These tokens are frequently leaked via CI/CD build logs, container environment variable dumps, or centralized monitoring systems capturing application state.

Once the token string is obtained, the attacker splits the JWS at the first and second period characters to isolate the payload segment. This payload is then processed using standard Base64 decoding utilities. The resulting plaintext JSON exposes the totp_secret key directly to the attacker.

# Extracting the TOTP secret from a leaked JWS token payload
echo "eyJ1c2VyX2lkIjoiYWRtaW4iLCJ0b3RwX3NlY3JldCI6IktWSlZLU1JRSlZKVktTUlEifQ" | base64 -d
# Output: {"user_id":"admin","totp_secret":"KVJVKSRQJVJVKSRQ"}

With the extracted TOTP secret, the attacker inputs the key into a standard authenticator application or CLI tool. This grants the ability to generate valid, time-synchronized six-digit codes. The attacker subsequently presents these codes to the sealed-env administrative interface to authenticate as the compromised operator.

The successful exploitation of this vulnerability results in a complete bypass of the system's multi-factor authentication controls. An attacker equipped with valid TOTP codes can authenticate as a privileged operator within the sealed-env enterprise environment. This level of access permits the unsealing of production secrets, database credentials, and cryptographic keys.

The CVSS v3.1 score of 9.1 (Critical) accurately reflects the severity and ease of exploitation. The attack vector is Network (AV:N), as the system is typically exposed via internal or external APIs. The attack complexity is Low (AC:L), requiring only basic Base64 decoding without specialized exploitation techniques.

No privileges or user interaction are required (PR:N, UI:N) once the token is obtained. The impact on confidentiality and integrity is High (C:H, I:H), given the total compromise of the secret management platform. The scope remains Unchanged (S:U), as the vulnerability affects the component itself without crossing security boundaries.

The vendor addressed CVE-2026-45091 in sealed-env version 0.1.0-alpha.4. The patch fundamentally alters the token generation logic to exclude the TOTP secret from the JWS claim set. Security engineers must immediately upgrade all Node.js and Java Spring Boot deployments to this patched version.

Applying the software update alone is insufficient to secure compromised environments. Because the TOTP secrets were previously embedded in tokens and potentially recorded in infrastructure logs, all operator TOTP secrets must be invalidated and regenerated. Administrators must force a secret rotation event for all enterprise accounts.

Additionally, organizations must conduct a thorough sanitization of historical logs. Development teams should scrub CI/CD pipelines, Kubernetes pod manifests, and observability platforms (such as Sentry or Splunk) for the string pattern associated with the sealed-env tokens. Retaining these artifacts leaves the environment vulnerable to retrospective token decoding.