{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33896", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.490Z", "datePublished": "2026-03-27T20:50:03.418Z", "dateUpdated": "2026-03-30T18:53:50.510Z"}, "containers": {"cna": {"title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"}, {"name": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90", "tags": ["x_refsource_MISC"], "url": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"}], "affected": [{"vendor": "digitalbazaar", "product": "forge", "versions": [{"version": "< 1.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:50:03.418Z"}, "descriptions": [{"lang": "en", "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue."}], "source": {"advisory": "GHSA-2328-f5f3-gj25", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:53:46.442762Z", "id": "CVE-2026-33896", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:53:50.510Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33896", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T18:53:46.442762Z"}}}], "references": [{"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:53:41.483Z"}}], "cna": {"title": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)", "source": {"advisory": "GHSA-2328-f5f3-gj25", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "digitalbazaar", "product": "forge", "versions": [{"status": "affected", "version": "< 1.4.0"}]}], "references": [{"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90", "name": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:50:03.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33896", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:53:50.510Z", "dateReserved": "2026-03-24T15:41:47.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:50:03.418Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "46CBC667-ED99-4B5B-89C8-428CF52FD3FB", "versionEndIncluding": "1.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue."}], "id": "CVE-2026-33896", "lastModified": "2026-04-14T01:13:21.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T21:17:26.320", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance", "id": "2452458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452458"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["A flaw was found in Forge (also known as node-forge), a JavaScript implementation of Transport Layer Security (TLS). The `pki.verifyCertificateChain()` function does not properly enforce certificate validation rules. This oversight allows an intermediate certificate that lacks specific security extensions to enable any leaf certificate to function as a Certificate Authority (CA) and sign other certificates. Consequently, node-forge could accept these unauthorized certificates as valid, potentially leading to spoofing or the issuance of illegitimate certificates."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33896", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "io.cryostat-cryostat", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-platform-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "io.hawt-project", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "io.apicurio-apicurio-registry", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "org.infinispan-infinispan-console", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.apicurio-apicurito", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.syndesis-syndesis-parent", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "org.uberfire-uberfire-parent", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2026-03-27T20:50:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33896\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33896\nhttps://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90\nhttps://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "forge", "source": "cna", "vendor": "digitalbazaar"}, "product": "forge", "vendor": "digitalbazaar"}], "analysis": {"en": {"generated_at": "2026-04-14T02:24:14.587347+00:00", "value": {"mitigation_remediation": ["Upgrade node-forge to version 1.4.0 or newer", "Re\u2011verify any custom certificate handling in the code to ensure strict RFC 5280 compliance after the upgrade"], "summary": {"action": "Patch Now", "impact": "TLS impersonation"}, "threat_synthesis": {"affected_systems": "The affected product is node-forge (also known as Forge) from DigitalBazaar. Versions preceding 1.4.0 are vulnerable; all earlier releases permit the described certificate chain bypass.", "description_and_impact": "Forge is a JavaScript implementation of TLS used in Node.js environments. In all releases earlier than 1.4.0, the certificate chain validation routine does not enforce RFC 5280 basicConstraints or keyUsage extensions when an intermediate certificate lacks these extensions. This flaw permits a leaf certificate that omits the required extensions to act as a certificate authority and sign other certificates, which node-forge will accept as valid. Consequently, an attacker could generate and deploy forged certificates that a host application trusting node-forge would accept, enabling impersonation of trusted servers and compromising confidentiality and integrity.", "risk_and_exploitability": "The CVSS base score is 7.4, indicating high severity, while the EPSS score is below 1\u202f%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitability is likely limited to contexts where an attacker can influence the certificates presented to node-forge, such as in applications that perform TLS with third\u2011party certificates or in supply\u2011chain scenarios. An attacker would need to craft a leaf certificate lacking basicConstraints and keyUsage, use it as a CA, sign a target certificate, and supply the resulting chain to an application that relies on node-forge for certificate verification."}}}}, "created": "2026-03-29T20:29:57.137202+00:00", "updated": "2026-04-14T16:42:36.791172+00:00", "vendors": ["digitalbazaar", "digitalbazaar$PRODUCT$forge"]}