CVE-2026-33896
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| digitalbazaar | forge | < 1.4.0 | affected |
Weaknesses
- CWE-295: CWE-295: Improper Certificate Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance
Additional References
- https://access.redhat.com/security/cve/CVE-2026-33896
- https://bugzilla.redhat.com/show_bug.cgi?id=2452458
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33896.json
- https://access.redhat.com/errata/RHSA-2026:24761
- https://access.redhat.com/errata/RHSA-2026:34342
- https://access.redhat.com/errata/RHSA-2026:9742
- https://access.redhat.com/errata/RHSA-2026:13826
References
- https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25
- https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.