CVE-2026-33896
Published: 27 March 2026
Summary
CVE-2026-33896 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Digitalbazaar Forge. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-17 (Public Key Infrastructure Certificates).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and acceptance of PKI certificates per defined requirements, directly addressing the improper certificate chain validation lacking RFC 5280 basicConstraints enforcement in node-forge.
Mandates identification, reporting, and timely correction of software flaws such as CVE-2026-33896 by upgrading node-forge to version 1.4.0 or later.
Provides for vulnerability scanning to identify instances of vulnerable node-forge versions, enabling remediation before exploitation in TLS communications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables forged certificate chains to pass validation (CWE-295), directly facilitating man-in-the-middle attacks on TLS sessions as described in the CVE.
NVD Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any…
more
leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Deeper analysisAI
CVE-2026-33896 is a vulnerability in Forge, also known as node-forge, a JavaScript implementation of Transport Layer Security. Prior to version 1.4.0, the pki.verifyCertificateChain() function does not enforce RFC 5280 basicConstraints requirements for intermediate certificates that lack both the basicConstraints and keyUsage extensions. This allows any leaf certificate without these extensions to act as a certificate authority and sign other certificates, which node-forge accepts as valid. The issue is classified under CWE-295 (Improper Certificate Validation) with a CVSS v3.1 score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By crafting a malicious certificate chain where a leaf certificate impersonates a CA, attackers can bypass certificate chain validation in applications using node-forge, potentially enabling man-in-the-middle attacks that compromise the confidentiality and integrity of TLS-protected communications.
The GitHub security advisory GHSA-2328-f5f3-gj25 and commit 2e492832fb25227e6b647cbe1ac981c123171e90 confirm that version 1.4.0 patches the issue by enforcing the missing RFC 5280 requirements. Security practitioners should upgrade affected Forge instances to 1.4.0 or later to mitigate the vulnerability.
Details
- CWE(s)