diff --git a/CHANGELOG.md b/CHANGELOG.md
index b54f057e..0906974d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
# Changelog
+## Version 1.4.9 - 2026-06-09
+* fix: use random nonce per call in AES-GCM onboarding signature
+
## Version 1.4.8 - 2024-10-23
* Added support for fetch methods on payments
diff --git a/README.md b/README.md
index f90f4d00..e0f0110c 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ Add this dependency to your project's POM:
com.razorpay
razorpay-java
- 1.4.8
+ 1.4.9
```
diff --git a/pom.xml b/pom.xml
index 61d95118..a7b20c13 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
com.razorpay
razorpay-java
- 1.4.8
+ 1.4.9
jar
razorpay-java
diff --git a/src/test/java/com/razorpay/UtilsTest.java b/src/test/java/com/razorpay/UtilsTest.java
index f9697b30..8d5bda0f 100644
--- a/src/test/java/com/razorpay/UtilsTest.java
+++ b/src/test/java/com/razorpay/UtilsTest.java
@@ -94,11 +94,13 @@ public static String decrypt(byte[] encryptedData, String secret) throws Excepti
byte[] keyBytes = secret.substring(0, 16).getBytes(StandardCharsets.UTF_8);
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
byte[] iv = new byte[12];
- System.arraycopy(keyBytes, 0, iv, 0, 12);
+ System.arraycopy(encryptedData, 0, iv, 0, 12);
+ byte[] ciphertext = new byte[encryptedData.length - 12];
+ System.arraycopy(encryptedData, 12, ciphertext, 0, ciphertext.length);
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
GCMParameterSpec gcmSpec = new GCMParameterSpec(128, iv);
- cipher.init(Cipher.ENCRYPT_MODE, keySpec, gcmSpec);
- byte[] decryptedBytes = cipher.doFinal(encryptedData);
+ cipher.init(Cipher.DECRYPT_MODE, keySpec, gcmSpec);
+ byte[] decryptedBytes = cipher.doFinal(ciphertext);
return new String(decryptedBytes);
}