Bug 2452458 (CVE-2026-33896) - CVE-2026-33896 node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance
Summary: CVE-2026-33896 node-forge: Forge (node-forge): Certificate validation bypass ...
Keywords:
Status: NEW
Alias: CVE-2026-33896
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452484 2452485 2452480 2452481 2452482 2452483
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 21:02 UTC by OSIDB Bzimport
Modified: 2026-06-09 11:03 UTC (History)
44 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:24761 0 None None None 2026-06-09 11:03:32 UTC

Description OSIDB Bzimport 2026-03-27 21:02:46 UTC 
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Comment 2 errata-xmlrpc 2026-06-09 11:03:29 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:24761 https://access.redhat.com/errata/RHSA-2026:24761
Note You need to log in before you can comment on or make changes to this bug.