Describe the bug
In encode(String, String, Map), getCryptoAlgorithm() returns a
non-null token for any string matching the {.*} pattern at the start.
The code then unconditionally attempted to decode the string before
re-encoding, without first checking whether the extracted token is
actually a valid crypto algorithm (xor, aes, hash, or custom).
[2026-06-19T14:41:30.307+0200] 00000054 SystemOut O [2026-06-19T14:41:30,307] [ERROR] d.f.d.c.o.w.WlpDataTreePasswordEncrypter - Unable to encrypt password for property type=[mailSession], parameter=[password], password (redacted) using encryptionKey gaypqCle8pirepDeNMJSYYvuwlH0W55RTwU1ioFA3ZtZ.
java.lang.NullPointerException: Cannot invoke "java.lang.String.trim()" because "decoded_string" is null
at com.ibm.websphere.crypto.PasswordUtil.encode(PasswordUtil.java:274)
at com.ibm.websphere.crypto.PasswordUtil.encode(PasswordUtil.java:228)
at de.fi.deployment.cfggenerator.operation.wlphelper.WlpDataTreePasswordEncrypter.doEncrypt(WlpDataTreePasswordEncrypter.java:127)
Steps to Reproduce
When trying to use
PasswordUtil.encode(secretToEncrypt, "aes", @Nullable encryptionKey);
Then the passwordUtil will silently return secretToEncrypt without throwing an exception if secretToEncrypt starts with {something}.
This is unexpected and highly problematic.
Actually it is based on an internal NPE within PasswordUtil:
(Error stack above)
Expected behavior
The encoding operation should complete successfully without generating an internal error.
Diagnostic information:
- OpenLiberty Version: Any
- Affected feature(s) [e.g. mpHealth-3.0] - PasswordUtilities-1.0, PasswordUtilities-2.0
- Java Version:No specific version
- server.xml configuration - includes PasswordUtilities-1.0 or PasswordUtilities-2.0 in its feature list.
Additional context
Add any other context about the problem here.
From our support team, Keith Jabcuga's created a standalone recreation program 6/19/2026
test/com/example/security/PasswordUtilSample.java
PasswordUtilSample.java
Describe the bug
In
encode(String, String, Map),getCryptoAlgorithm()returns anon-null token for any string matching the
{.*}pattern at the start.The code then unconditionally attempted to decode the string before
re-encoding, without first checking whether the extracted token is
actually a valid crypto algorithm (
xor,aes,hash, or custom).Steps to Reproduce
When trying to use
PasswordUtil.encode(secretToEncrypt, "aes", @Nullable encryptionKey);Then the passwordUtil will silently return
secretToEncryptwithout throwing an exception ifsecretToEncryptstarts with{something}.This is unexpected and highly problematic.
Actually it is based on an internal NPE within PasswordUtil:
(Error stack above)
Expected behavior
The encoding operation should complete successfully without generating an internal error.
Diagnostic information:
Additional context
Add any other context about the problem here.
From our support team, Keith Jabcuga's created a standalone recreation program 6/19/2026
test/com/example/security/PasswordUtilSample.java
PasswordUtilSample.java