COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-33896

CVE-2026-33896

Severity
high
Source
NVD · cve
Published
2026-03-27
CVSS
7.4
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-33896
shame 25/100

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints`

Players implicated

digitalbazaar · vendorforge · product

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.