CVE-2026-14969
Received
Received - Intake
Hardcoded IV in 389-ds-base LDBM Encryption
Vulnerability report for CVE-2026-14969, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-07
Last updated on: 2026-07-07
Assigner: Red Hat, Inc.
Description
Description
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | 389-ds-base | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-329 | The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. |