You're using AES-256-CBC without authenticating the ciphertext. Your threat model might preclude chosen-ciphertext attacks, but every crypto code auditor will flag that as suspicious (if not an outright vulnerability).

Read these two links:

https://paragonie.com/blog/2015/05/using-encryption-and-auth...

https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc...

You want AES-GCM or AES-CBC + HMAC-SHA2 (Encrypt then MAC).