Cross-Stack Secret Management Library Vulnerability in Sealed-Env by David Almeida
CVE-2026-45091

9.1CRITICAL

Key Information:

Vendor: Davidalmeidac
Status: Sealed-env
Vendor: CVE Published:; 12 May 2026

🔔 Create Davidalmeidac Vulnerability Alert

What is CVE-2026-45091?

The Sealed-Env library, which facilitates cross-stack secret management for Node.js and Java/Spring Boot applications, contains a vulnerability in its enterprise mode. Versions from 0.1.0-alpha.1 to 0.1.0-alpha.3 inadvertently embed an operator's TOTP secret within the JWS payload of every generated unseal token. As the JWS payload is merely base64-encoded and not encrypted, it becomes susceptible to exposure. Adverse actors observing these tokens in CI build logs, container environment dumps, or other logging systems can easily decode the payload and retrieve the TOTP secret in plaintext. This significant flaw has been addressed in version 0.1.0-alpha.4.

Affected Version(s)

sealed-env < 0.1.0-alpha.4

References

https://github.com/davidalmeidac/sealed-env/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45091 Data

JSON