Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14969

CVE-2026-14969: Redhat Directory Server Info Disclosure

CVE-2026-14969 is an information disclosure vulnerability in Redhat Directory Server's 389-ds-base component. Attackers with filesystem access can detect plaintext equality by comparing encrypted data blocks.

Published:

CVE-2026-14969 Overview

CVE-2026-14969 affects the 389 Directory Server (389-ds-base), an enterprise LDAP directory used in Red Hat Directory Server and Red Hat Enterprise Linux. The LDBM backend attribute encryption feature uses a hardcoded static initialization vector (IV) for both AES-CBC and 3DES-CBC operations. This cryptographic flaw is classified under [CWE-329: Not Using a Random IV with CBC Mode]. An attacker with privileged filesystem access to the directory database files can compare ciphertext blocks and detect plaintext equality across encrypted entries. The issue affects the confidentiality guarantee that attribute encryption is expected to provide for sensitive attributes stored on disk.

Critical Impact

An attacker with local privileged access to database files can identify identical plaintext values across encrypted directory entries, undermining at-rest confidentiality of sensitive LDAP attributes.

Affected Products

  • Red Hat Directory Server 11.0, 12.0, and 13.0
  • Red Hat 389 Directory Server (upstream 389-ds-base)
  • Red Hat Enterprise Linux 7, 8, 9, and 10

Discovery Timeline

  • 2026-07-07 - CVE-2026-14969 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-14969

Vulnerability Analysis

The 389 Directory Server allows administrators to enable attribute-level encryption within the LDBM (LMDB/BDB) backend to protect sensitive values such as passwords, national identifiers, or personal data at rest. The implementation encrypts each attribute value using AES-CBC or 3DES-CBC. Cipher Block Chaining mode requires a unique, unpredictable initialization vector per encryption operation to guarantee semantic security. The vulnerable code path reuses a hardcoded static IV for every attribute value encrypted under the same key.

When CBC mode is used with a constant IV, identical plaintexts produce identical ciphertexts under the same key. An adversary with read access to the backend database files can therefore group entries containing equal attribute values without recovering the key. This exposes patterns such as shared passwords, shared identifiers, or duplicated sensitive fields across the directory.

Root Cause

The root cause is a deterministic IV embedded in the attribute encryption routine rather than a per-record random IV derived from a cryptographic random source. CBC mode's security proof requires IV unpredictability, and reusing a fixed IV collapses encryption to a deterministic function of the plaintext.

Attack Vector

Exploitation requires local, privileged access to the directory server host, specifically read access to the LDBM database files under the server's data directory. The attacker performs offline analysis by extracting encrypted attribute values from the backend files and comparing ciphertext blocks. Matching first blocks under the same key indicate matching plaintext prefixes, allowing equality inference across users and entries. The vulnerability does not permit direct plaintext recovery or key extraction on its own.

Detection Methods for CVE-2026-14969

Indicators of Compromise

  • Unexpected read access to 389-ds-base backend files such as those under /var/lib/dirsrv/slapd-<instance>/db/ by non-service accounts.
  • Copies of LDBM database files (*.db, data.mdb) appearing outside the directory server's data directory.
  • Auditd or filesystem audit events showing processes other than ns-slapd opening the encrypted backend files.

Detection Strategies

  • Enable auditd rules that watch the 389 Directory Server database directory for read and copy operations by unexpected users.
  • Monitor privileged shell activity on directory server hosts for commands that archive or exfiltrate /var/lib/dirsrv contents.
  • Review backup workflows to ensure only authorized backup agents access LDBM files, and validate that backups are encrypted with per-instance keys.

Monitoring Recommendations

  • Alert on new SSH sessions or sudo escalations to the dirsrv account followed by file access outside normal operational patterns.
  • Track outbound data transfers from directory server hosts, correlating with directory database file access events.
  • Baseline legitimate administrative access windows and flag off-hours filesystem reads of the LDBM backend.

How to Mitigate CVE-2026-14969

Immediate Actions Required

  • Apply vendor updates for 389-ds-base and Red Hat Directory Server as they become available through Red Hat channels.
  • Restrict filesystem access to the 389 Directory Server data directory to the dirsrv service account only and remove unnecessary local shell access.
  • Rotate any credentials or secrets that were stored as encrypted attributes and may have been exposed to unauthorized local users.

Patch Information

Red Hat tracks remediation through the Red Hat CVE-2026-14969 Advisory and Red Hat Bug Report #2497735. Administrators should apply the packages published for their Red Hat Enterprise Linux and Directory Server versions once released and follow any post-upgrade re-encryption guidance provided by the vendor.

Workarounds

  • Rely on full-disk or filesystem-level encryption (for example LUKS) to protect the LDBM backend files at rest instead of depending solely on attribute encryption.
  • Limit privileged local access to directory server hosts and enforce separation of duties between OS administrators and directory administrators.
  • Store highly sensitive values, such as passwords, using one-way hashing schemes supported by 389 Directory Server rather than reversible attribute encryption.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.