External risk intelligence

sealed-env could allow internal attacker to expose authentication secrets

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45091

The sealed-env library mistakenly exposes sensitive authentication codes in application logs and system dumps. An internal attacker can steal these credentials to bypass multi-factor security and gain unauthorized administrative control over sensitive internal systems.

1Halo Surface Signal

Information Disclosure

External exposure likelihood

Halo Surface Signal score for CVE-2026-45091

This vulnerability exists in a backend library used for secret management. The exposure occurs exclusively within internal infrastructure such as CI/CD pipelines, container dumps, and log aggregators. It is not an internet-facing service or gateway, making public network exposure very unlikely.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

The sealed-env secret management library, in its enterprise mode, incorrectly embeds a critical secret directly into tokens. This means anyone able to access these tokens, even from logs or environment dumps, can easily expose the secret in plaintext. This could lead to unauthorized access or compromise of systems relying on these secrets.

  • Sensitive secrets exposed in tokens.
  • Accessible from logs and environment data.
  • Impacts Node.js and Java/Spring Boot.

Attack Path

How an attacker could exploit the issue

An attacker could steal the TOTP secret from `sealed-env` if they can access minted unseal tokens. These tokens are created without encryption, and the TOTP secret is directly embedded and base64-encoded in the token's payload. Anyone observing these tokens, such as in CI/CD logs or container environment dumps, can easily extract the secret.

  • Observe minted tokens.
  • Decode base64 payload.
  • Gain TOTP secret.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in sealed-env's enterprise mode, where TOTP secrets were embedded in JWS payloads, is unlikely to be weaponized by external attackers. The exposure vector is limited to internal infrastructure, such as CI build logs or container environments, rather than internet-facing services. This significantly reduces the attack surface and the likelihood of widespread exploitation by remote threat actors.

  • Only internal access needed for token observation.
  • No public exploit code observed.
  • Vulnerability fixed in a recent version.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediately updating sealed-env to 0.1.0-alpha.4 if you are using it in enterprise mode to prevent sensitive TOTP secrets from being exposed in JWS payloads. If an immediate update is not feasible, review all logs, CI/CD pipelines, and container environments for any exposed tokens that could have revealed secrets.

  • Update sealed-env to version 0.1.0-alpha.4.
  • Inspect logs and environment dumps for exposed TOTP secrets.
  • Implement stricter access controls for token generation and storage.

Frequently asked questions

What is sealed-env and what is it used for?

sealed-env is a library designed for managing secrets in Node.js and Java/Spring Boot applications. It aims to provide zero-trust secret management across different parts of a software system, helping to secure sensitive information like authentication keys and credentials.

What is the CWE weakness for CVE-2026-45091 in sealed-env?

The vulnerability CVE-2026-45091 in sealed-env relates to CWE-200, Exposure of Sensitive Information to an Unauthorized Actor, and CWE-522, Sensitive Data Exposure. Specifically, it allowed a Time-based One-Time Password (TOTP) secret to be embedded in a plain, base64-encoded JSON payload within security tokens.

How does an attacker trigger this sealed-env vulnerability?

An attacker can exploit this by observing minted unseal tokens. These tokens were generated without encryption in affected versions of sealed-env enterprise mode. If an attacker can access these tokens, for example, through CI/CD build logs or container environment dumps, they can decode the payload to retrieve the embedded TOTP secret.

Who should care about this sealed-env vulnerability?

Organizations using sealed-env in its enterprise mode should care. The Halo Surface Signal indicates this is an internal exposure risk, meaning the vulnerability is relevant to secrets exposed within internal infrastructure like build logs or environment dumps, rather than internet-facing services.

What is the first step to address CVE-2026-45091 in sealed-env?

The immediate first step is to update sealed-env to version 0.1.0-alpha.4, as this version includes the fix for the vulnerability. If an immediate update is not possible, it is recommended to review internal logs and container environments for any exposed tokens that might contain sensitive secrets.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified