CVE-2026-45091: CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens

1 / 2

CVE-2026-45091: CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens

DEV Community·CVE Reports·21 days ago

#vJ2z0ZQB

#security #cve #cybersecurity #software #alpha #sealed

Reading 0:00

15s threshold

CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens Vulnerability ID: CVE-2026-45091 CVSS Score: 9.1 Published: 2026-05-12 The sealed-env library incorrectly embeds operator TOTP secrets in the unencrypted Base64-encoded payload of minted JWS tokens, allowing unauthenticated attackers to extract credentials and bypass multi-factor authentication controls. TL;DR Versions 0.1.0-alpha.1 through 0.1.0-alpha.3 of the sealed-env library suffer from a critical flaw where JWS token payloads contain plaintext TOTP secrets, facilitating trivial MFA bypasses.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-45091: CVE-2026-45091: Cleartext TOTP Secret Exposure in sealed-env JWS Tokens