Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

INFO

Published Date :

2026-03-27T20:50:03.418Z

Last Modified :

2026-03-27T20:50:03.418Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33896 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33896.

URL Resource
https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90 cve-icon cve-icon cve-icon
https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact