Platform
nodejs
Component
node-forge
Fixed in
1.4.1
1.4.0
CVE-2026-33896 is a high-severity vulnerability affecting the node-forge library, specifically its certificate validation functionality. This flaw allows an attacker to bypass certificate chain validation, potentially enabling the creation and acceptance of malicious certificates. The vulnerability impacts versions of node-forge prior to 1.4.0, and a fix is available in version 1.4.0.
The core of this vulnerability lies in the pki.verifyCertificateChain() function within node-forge. The function fails to enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This means that any leaf certificate, even one without these crucial extensions, can be used to act as a Certificate Authority (CA) and sign other certificates. node-forge will then incorrectly validate these signed certificates as legitimate. This effectively breaks the chain of trust, allowing attackers to create rogue certificates that appear valid to applications relying on node-forge for certificate verification. The potential impact is significant, ranging from man-in-the-middle attacks to the compromise of sensitive data.
CVE-2026-33896 was publicly disclosed on 2026-03-26. As of this writing, it is not listed on the CISA KEV catalog. There are no publicly available proof-of-concept exploits, but the vulnerability's nature makes it likely that such exploits will emerge. The EPSS score is likely to be medium, given the potential for significant impact and the relative ease of exploitation once a suitable certificate is generated.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33896 is to upgrade to node-forge version 1.4.0 or later, which includes the necessary fix to enforce RFC 5280 requirements. If upgrading is not immediately feasible, consider implementing stricter certificate validation policies within your application. This might involve manually checking for the presence of basicConstraints and keyUsage extensions before relying on node-forge's validation. While not a complete solution, this can provide an additional layer of defense. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the application code. Detection signatures are difficult to create without specific certificate patterns, but monitoring for unexpected certificate chains or self-signed certificates could be beneficial.
Update the Forge library to version 1.4.0 or higher. This version fixes the basicConstraints bypass vulnerability in certificate chain verification. The update ensures that RFC 5280 requirements are met.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33896 is a high-severity vulnerability in the node-forge library that allows improperly configured certificates to be validated, potentially enabling malicious certificate authorities.
You are affected if you are using node-forge versions prior to 1.4.0 in your Node.js applications and rely on its certificate validation functionality.
Upgrade to node-forge version 1.4.0 or later to resolve the vulnerability. Consider stricter certificate validation policies as an interim measure.
While no public exploits are currently available, the vulnerability's nature suggests that exploitation is likely in the future.
Refer to the node-forge project's repository and release notes for the official advisory and details on the fix: [https://github.com/node-forge/node-forge](https://github.com/node-forge/node-forge)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.