What is the CVSS score of CVE-2026-45091?

CVE-2026-45091 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of sealed-env are affected by CVE-2026-45091?

CVE-2026-45091 exposes TOTP operator authentication credentials in plaintext within sealed-env enterprise mode tokens (versions 0.1.0-alpha.1 through 0.1.0-alpha.3), allowing unauthenticated…. A patch is available.

Is there a public PoC exploit available for CVE-2026-45091?

Yes, a public proof-of-concept exploit is available for CVE-2026-45091. Prioritise patching immediately. EPSS: 0.0%.

sealed-env CVE-2026-45091

EUVD-2026-29476 CRITICAL

Information Exposure (CWE-200)

2026-05-12 GitHub_M

GHSA-x3r2-fj3r-g5mv

Java Information Disclosure Node.js

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 12, 2026 - 15:02 EUVD

Analysis Generated

May 12, 2026 - 14:15 vuln.today

CVE Published

May 12, 2026 - 13:20 nvd

CRITICAL 9.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 maven packages depend on io.github.davidalmeidac:sealed-env-core (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.1.0-alpha.4.

DescriptionNVD

sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.

AnalysisAI

Plaintext TOTP secret exposure in sealed-env enterprise mode allows remote unauthenticated attackers to extract operator authentication credentials from base64-decoded JWS tokens. Versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embed literal TOTP secrets in every minted unseal token's JWS payload without encryption, enabling credential harvesting from CI logs, container environments, monitoring tools, and log aggregators. …

RemediationAI

Within 24 hours: Identify all sealed-env deployments and audit version numbers to determine exposure scope; immediately isolate or quarantine affected systems. Within 7 days: Upgrade to sealed-env version 0.1.0-alpha.4 or later; rotate all TOTP operator credentials and invalidate previously-issued unseal tokens. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45091 vulnerability details – vuln.today

Back

sealed-env CVE-2026-45091

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code