CVE-2026-45091

Name of the Vulnerable Software and Affected Versions sealed-env versions 0.1.0-alpha.1 through 0.1.0-alpha.3

Description In enterprise mode, the operator's literal TOTP (Time-based One-Time Password) secret is embedded in the JWS (JSON Web Signature) payload of every minted unseal token. Because the JWS payload is base64-encoded JSON and not encrypted, any party capable of observing a minted token—such as through CI build logs, container environment dumps, kubectl describe pod commands, Sentry or Rollbar stack traces, or log aggregators—can decode the payload to extract the TOTP secret in plaintext. This exposure allows an attacker possessing the master key and a leaked token to mint unlimited new unseal tokens indefinitely, bypassing second-factor protection.

Recommendations Update to version 0.1.0-alpha.4.