{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33896", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.490Z", "datePublished": "2026-03-27T20:50:03.418Z", "dateUpdated": "2026-03-30T18:53:50.510Z"}, "containers": {"cna": {"title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"}, {"name": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90", "tags": ["x_refsource_MISC"], "url": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"}], "affected": [{"vendor": "digitalbazaar", "product": "forge", "versions": [{"version": "< 1.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:50:03.418Z"}, "descriptions": [{"lang": "en", "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue."}], "source": {"advisory": "GHSA-2328-f5f3-gj25", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:53:46.442762Z", "id": "CVE-2026-33896", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:53:50.510Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33896", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T18:53:46.442762Z"}}}], "references": [{"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:53:41.483Z"}}], "cna": {"title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)", "source": {"advisory": "GHSA-2328-f5f3-gj25", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "digitalbazaar", "product": "forge", "versions": [{"status": "affected", "version": "< 1.4.0"}]}], "references": [{"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90", "name": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:50:03.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33896", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:53:50.510Z", "dateReserved": "2026-03-24T15:41:47.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:50:03.418Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue."}], "id": "CVE-2026-33896", "lastModified": "2026-03-30T19:16:25.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:26.320", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"}, {"source": "security-advisories@github.com", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance", "id": "2452458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452458"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["A flaw was found in Forge (also known as node-forge), a JavaScript implementation of Transport Layer Security (TLS). The `pki.verifyCertificateChain()` function does not properly enforce certificate validation rules. This oversight allows an intermediate certificate that lacks specific security extensions to enable any leaf certificate to function as a Certificate Authority (CA) and sign other certificates. Consequently, node-forge could accept these unauthorized certificates as valid, potentially leading to spoofing or the issuance of illegitimate certificates."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33896", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "io.cryostat-cryostat", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-platform-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "io.hawt-project", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "io.apicurio-apicurio-registry", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "org.infinispan-infinispan-console", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.apicurio-apicurito", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.syndesis-syndesis-parent", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "org.uberfire-uberfire-parent", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2026-03-27T20:50:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33896\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33896\nhttps://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90\nhttps://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "forge", "source": "cna", "vendor": "digitalbazaar"}, "product": "forge", "vendor": "digitalbazaar"}], "analysis": {"en": {"generated_at": "2026-03-28T05:31:01.354419+00:00", "value": {"mitigation_remediation": ["Update node\u2011forge to version 1.4.0 or later, which includes the basicConstraints enforcement fix.", "If an immediate upgrade is not feasible, avoid using node\u2011forge\u2019s pki.verifyCertificateChain for TLS validation and instead use a hardened TLS stack such as the native Node.js TLS module or OpenSSL.", "As a temporary measure, introduce additional validation logic to check the basicConstraints and keyUsage extensions of intermediate certificates before accepting them."], "summary": {"action": "Immediate Patch", "impact": "Potential Certificate Authority misuse via forged intermediate certs"}, "threat_synthesis": {"affected_systems": "The vulnerable product is the node-forge library (also called forge) from Digital Bazaar. Versions prior to 1.4.0 are affected. Applications built with those versions, especially those that rely on node-forge\u2019s certificate chain verification for TLS or other security functions, are at risk.", "description_and_impact": "Forge\u2019s pki.verifyCertificateChain function does not enforce basicConstraints when an intermediate certificate lacks both basicConstraints and keyUsage extensions. This omission allows a leaf certificate without these extensions to act as a CA and sign other certificates, and node-forge will accept them as valid. The result is that an attacker could create and deploy fraudulent certificates that pass verification, enabling man\u2011in\u2011the\u2011middle attacks, credential theft, or other forms of impersonation.", "risk_and_exploitability": "The CVSS score is 7.4, indicating high severity. EPSS data is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting there is no known active exploitation at the time of disclosure. The likely attack vector is within any code that imports node-forge and performs certificate verification, such as server applications, client libraries, or tooling that uses the pki.verifyCertificateChain routine. Because the vulnerability is in a library, the attacker would need to supply a malicious certificate chain to the application or manipulate the chain during TLS negotiation. Exploitation requires the ability to inject or influence the certificate chain presented to the application."}}}}, "created": "2026-03-29T20:29:57.137202+00:00", "updated": "2026-03-30T07:00:16.378038+00:00", "vendors": ["digitalbazaar", "digitalbazaar$PRODUCT$forge"]}