CVE-2026-33896: CWE-295: Improper Certificate Validation in digitalbazaar forge
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
AI Analysis
Technical Summary
The vulnerability CVE-2026-33896 affects the digitalbazaar forge library, a JavaScript implementation of TLS. Before version 1.4.0, the pki.verifyCertificateChain() method fails to enforce the RFC 5280 basicConstraints requirements if an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows a leaf certificate without these extensions to be treated as a CA, enabling it to sign other certificates that forge will accept as valid. This improper certificate validation is classified under CWE-295. The vulnerability has a CVSS 3.1 score of 7.4 (high severity) and is fixed in version 1.4.0.
Potential Impact
Exploitation of this vulnerability could allow an attacker to use a leaf certificate without proper CA extensions to sign other certificates, which the forge library would accept as valid. This undermines the trust model of certificate chains and could lead to man-in-the-middle attacks or unauthorized certificate issuance in applications relying on forge for TLS operations. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade the digitalbazaar forge library to version 1.4.0 or later, where this certificate validation issue is fixed. Since this is a native library, applying the official patch by updating to the fixed version is the recommended remediation. Patch status is confirmed by the vendor advisory stating version 1.4.0 addresses the issue.
CVE-2026-33896: CWE-295: Improper Certificate Validation in digitalbazaar forge
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-33896 affects the digitalbazaar forge library, a JavaScript implementation of TLS. Before version 1.4.0, the pki.verifyCertificateChain() method fails to enforce the RFC 5280 basicConstraints requirements if an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows a leaf certificate without these extensions to be treated as a CA, enabling it to sign other certificates that forge will accept as valid. This improper certificate validation is classified under CWE-295. The vulnerability has a CVSS 3.1 score of 7.4 (high severity) and is fixed in version 1.4.0.
Potential Impact
Exploitation of this vulnerability could allow an attacker to use a leaf certificate without proper CA extensions to sign other certificates, which the forge library would accept as valid. This undermines the trust model of certificate chains and could lead to man-in-the-middle attacks or unauthorized certificate issuance in applications relying on forge for TLS operations. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade the digitalbazaar forge library to version 1.4.0 or later, where this certificate validation issue is fixed. Since this is a native library, applying the official patch by updating to the fixed version is the recommended remediation. Patch status is confirmed by the vendor advisory stating version 1.4.0 addresses the issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:41:47.490Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6efd03c064ed76ff473f9
Added to database: 3/27/2026, 9:00:00 PM
Last enriched: 4/4/2026, 10:59:39 AM
Last updated: 5/12/2026, 2:46:25 AM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.