{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sealed-env-core--0.1.0-alpha.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-45091"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sealed-env (\u003c 0.1.0-alpha.4)","sealed-env-core (\u003c 0.1.0-alpha.4)"],"_cs_severities":["critical"],"_cs_tags":["credential-access","cve-2026-45091","sealed-env"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVersions 0.1.0-alpha.1 through 0.1.0-alpha.3 of sealed-env, when running in enterprise mode, improperly handled TOTP secrets. The application embedded the operator\u0026rsquo;s plaintext TOTP secret within the JWS payload of each minted unseal token. Since JWS payloads are base64-encoded JSON and not encrypted, any entity that observed a minted token could extract the TOTP secret. This exposure could occur through various channels, including CI build logs, container environment dumps, \u003ccode\u003ekubectl describe pod\u003c/code\u003e outputs, or log aggregation systems. The issue was reported by an external reviewer after decoding the payload of a real minted token and confirming it matched the operator\u0026rsquo;s \u003ccode\u003e.env.local\u003c/code\u003e TOTP secret. Version 0.1.0-alpha.4 patches this vulnerability (CVE-2026-45091) by replacing the embedded secret with a salt-bound HMAC derivative (\u003ccode\u003eenterprise_epoch = HMAC(totpSecret, salt || \u0026quot;epoch-v1\u0026quot;)\u003c/code\u003e). The change is incompatible, requiring re-sealing and TOTP secret rotation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to the master key, possibly through a leaked CI secret or other compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or obtains a single, previously minted unseal token. This token could be found in CI build logs, container environment variables, or other exposed locations.\u003c/li\u003e\n\u003cli\u003eThe attacker decodes the base64-encoded JWS payload of the intercepted unseal token.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the plaintext TOTP secret from the decoded JWS payload.\u003c/li\u003e\n\u003cli\u003eThe attacker, possessing both the master key and the TOTP secret, can now generate valid unseal tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the generated unseal tokens to unseal the environment for unauthorized deployments.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent, unauthorized access to the sealed environment indefinitely.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to bypass the intended two-factor unsealing mechanism of sealed-env. An attacker with the master key and a single leaked unseal token can generate new, valid unseal tokens indefinitely. This compromises the security of any environment protected by sealed-env, allowing for unauthorized deployments and potentially leading to data breaches, service disruption, or other malicious activities. Successful exploitation allows unauthorized persistent access to sensitive applications and data protected by sealed-env.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to sealed-env version 0.1.0-alpha.4 or later to address CVE-2026-45091.\u003c/li\u003e\n\u003cli\u003eRotate the TOTP secret after upgrading to version 0.1.0-alpha.4, as the old secret may have been compromised.\u003c/li\u003e\n\u003cli\u003eReseal all files sealed by affected versions (0.1.0-alpha.1 through 0.1.0-alpha.3) due to the incompatible wire format change detailed in the CHANGELOG.md.\u003c/li\u003e\n\u003cli\u003eImplement robust logging and monitoring to detect unauthorized access attempts or unusual unsealing activities related to the leaked TOTP.\u003c/li\u003e\n\u003cli\u003eExamine historical logs for any exposed unseal tokens in CI build logs, container environment dumps, \u003ccode\u003ekubectl describe pod\u003c/code\u003e outputs, or log aggregation systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:09:56Z","date_published":"2026-05-12T15:09:56Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sealed-env-totp-leak/","summary":"sealed-env versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token, allowing an attacker with a leaked token and the master key to mint new unseal tokens indefinitely.","title":"sealed-env Enterprise Mode TOTP Secret Leak in Unseal Tokens (CVE-2026-45091)","url":"https://feed.craftedsignal.io/briefs/2026-05-sealed-env-totp-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Sealed-Env-Core (\u003c 0.1.0-Alpha.4)","version":"https://jsonfeed.org/version/1.1"}