Description
The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.
Published: 2026-04-14
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: Sensitive data exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the OECH1 prefix encoding, designed for obfuscation but found to be cryptographically weak. Because of this weakness, any values encoded with OECH1—including credentials and secrets—can be retrieved by attackers who can analyze the encoded data. This can lead to exposure of sensitive data, such as passwords, compromising account integrity and system confidentiality.

Affected Systems

The flaw affects Progress Software Corporation's OpenEdge platform. All instances that rely on OECH1 prefix encoding for protecting values are susceptible. No specific version details are supplied, so any OpenEdge deployment using OECH1 should be considered at risk.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity, reflecting a serious risk when the encoding is used. The EPSS score is not available, but the lack of KEV listing suggests it is not yet widely exploited. Inferred, the likely attack vector involves an adversary with read access to the database or configuration files that contain OECH1-encoded data, enabling them to decode and recover the original values. The vulnerability does not require special privileges beyond access to stored data, making it both highly impactful and relatively easy to exploit if access is obtained.

Generated by OpenCVE AI on April 14, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace OECH1 prefix encoding with any supported secure prefix encoding based on symmetric encryption.
  • Re‑encode all existing values that currently use OECH1 to the new secure format.
  • Verify the OpenEdge application no longer references OECH1 anywhere in configuration or code.
  • If any credentials or secrets were exposed, rotate them immediately and update all affected systems.
  • Review database access controls to limit read access to sensitive data during remediation.

Generated by OpenCVE AI on April 14, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Progress Software Corporation
Progress Software Corporation openedge
Vendors & Products Progress Software Corporation
Progress Software Corporation openedge

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.
Title Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge
Weaknesses CWE-257
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/AU:Y/V:D/RE:M/U:Red'}

Subscriptions

Progress Software Corporation Openedge
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-14T13:53:51.682Z

Reserved: 2025-07-23T16:36:12.176Z

Link: CVE-2025-8095

cve-icon Vulnrichment

Updated: 2026-04-14T13:53:45.475Z

cve-icon NVD

Status : Received

Published: 2026-04-14T14:16:11.237

Modified: 2026-04-14T14:16:11.237

Link: CVE-2025-8095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:29Z

Weaknesses