CVE-2026-33896: Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

March 26, 2026 (updated March 27, 2026)

pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.

References

github.com/advisories/GHSA-2328-f5f3-gj25
github.com/digitalbazaar/forge
github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90
github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25
nvd.nist.gov/vuln/detail/CVE-2026-33896

Code Behaviors & Features

Detect and mitigate CVE-2026-33896 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →