CVE-2026-33896

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33896
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33896.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33896
Aliases
Downstream
Related
Published
2026-03-27T20:50:03.418Z
Modified
2026-04-10T05:42:58.061931Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33896.json",
    "cwe_ids": [
        "CWE-295"
    ]
}
References

Affected packages

Git / github.com/digitalbazaar/forge

Affected ranges

Type
GIT
Repo
https://github.com/digitalbazaar/forge
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fa385f92440879601240020f158bed68e444e83a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.0"
        }
    ]
}

Affected versions

0.*
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.10.0
0.2.0
0.2.1
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.17
0.2.18
0.2.19
0.2.2
0.2.20
0.2.21
0.2.22
0.2.23
0.2.24
0.2.25
0.2.26
0.2.27
0.2.28
0.2.29
0.2.3
0.2.30
0.2.31
0.2.32
0.2.33
0.2.34
0.2.35
0.2.36
0.2.37
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.16
0.6.17
0.6.18
0.6.2
0.6.20
0.6.21
0.6.22
0.6.23
0.6.24
0.6.25
0.6.26
0.6.27
0.6.28
0.6.29
0.6.3
0.6.30
0.6.31
0.6.32
0.6.33
0.6.34
0.6.35
0.6.37
0.6.38
0.6.39
0.6.4
0.6.40
0.6.41
0.6.42
0.6.43
0.6.44
0.6.45
0.6.46
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.9.0
0.9.1
0.9.2
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33896.json"