|
Vulnerabilities
< Back

CVE-2026-33896

Updated on 27 Mar 2026

Severity

7.4 High severity

Details

CVSS score
7.4
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

Details

Affected product:
AlmaLinux 9.2 ESU , Node.js , TuxCare 9.6 ESU , selfsigned , webpack-dev-server
Affected packages:
icu @ 67.1 (+5 more)
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

Fixes