Bug 2452458 (CVE-2026-33896) - CVE-2026-33896 node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance
Summary: CVE-2026-33896 node-forge: Forge (node-forge): Certificate validation bypass ...
Keywords:
Status: NEW
Alias: CVE-2026-33896
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452480 2452481 2452482 2452483 2452484 2452485
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 21:02 UTC by OSIDB Bzimport
Modified: 2026-03-27 21:47 UTC (History)
44 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-27 21:02:46 UTC 
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Note You need to log in before you can comment on or make changes to this bug.