CVE-2026-45091
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
Description
In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, kubectl describe pod, Sentry/Rollbar stack traces, log aggregators) could decode the payload and extract the TOTP secret in plaintext. An attacker with (a) the master key (e.g. from a separate compromise such as a leaked CI secret) and (b) any single leaked unseal token can use the extracted TOTP secret to mint new valid unseal tokens for any future deploy indefinitely, breaking the second-factor property the library claimed. Patched in 0.1.0-alpha.4 by replacing the embedded secret with a salt-bound HMAC derivative (`enterprise_epoch = HMAC(totpSecret, salt || "epoch-v1")`). The TOTP secret never leaves the operator's machine in the new design. The wire format change is incompatible — files sealed by affected versions must be re-sealed and the TOTP secret rotated. Full migration playbook in CHANGELOG.md. Reported by an external reviewer who decoded the payload of a real minted token and confirmed bit-for-bit equality with the operator's .env.local TOTP secret.
How to fix CVE-2026-45091
To remediate CVE-2026-45091, upgrade the affected package to a fixed version below.
- —upgrade to 0.1.0-alpha.4 or later
- —upgrade to 0.1.0-alpha.4 or later
Is CVE-2026-45091 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.1.0-alpha.4