Cyber Resilience

CVE-2026-45091

Critical

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0033 24.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45091 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded…

more

JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. This vulnerability is fixed in 0.1.0-alpha.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability directly exposes TOTP secret (credential) in plaintext within observable JWS tokens, enabling T1552 Unsecured Credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-34897Shared CWE-200
CVE-2024-48310Shared CWE-200
CVE-2025-58741Shared CWE-522
CVE-2026-7313Shared CWE-522
CVE-2025-26492Shared CWE-522
CVE-2026-7312Shared CWE-522
CVE-2025-24899Shared CWE-200
CVE-2026-33575Shared CWE-522
CVE-2026-32633Shared CWE-200, CWE-522
CVE-2026-46427Shared CWE-200

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-522

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-522

Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge.

addresses: CWE-200 CWE-522

Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media.

addresses: CWE-200 CWE-522

Out-of-band delivery transmits sensitive data on a separate path, directly reducing exposure to unauthorized actors on the primary channel.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-200

Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.

addresses: CWE-200

By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.

References