Bug 2452458 (CVE-2026-33896)

Summary: CVE-2026-33896 node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, bdettelb, caswilli, cmah, dhanak, doconnor, drosa, dschmidt, eaguilar, ebaron, erezende, ewittman, ggrzybek, gmalinko, ibek, janstey, jcantril, jlanda, jolong, jrokos, jwong, kaycoth, kshier, lchilton, mnovotny, nipatil, omaciel, pantinor, parichar, pdelbell, pjindal, rkubis, rojacob, rstepani, sausingh, sfeifer, simaishi, smcdonal, stcannon, tasato, teagle, ttakamiy, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Forge (also known as node-forge), a JavaScript implementation of Transport Layer Security (TLS). The `pki.verifyCertificateChain()` function does not properly enforce certificate validation rules. This oversight allows an intermediate certificate that lacks specific security extensions to enable any leaf certificate to function as a Certificate Authority (CA) and sign other certificates. Consequently, node-forge could accept these unauthorized certificates as valid, potentially leading to spoofing or the issuance of illegitimate certificates.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452480, 2452481, 2452482, 2452483, 2452484, 2452485    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-27 21:02:46 UTC 
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.