Cyber Resilience

CVE-2026-33896

HighPublic PoCUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0019 8.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33896 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Digitalbazaar Forge. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2026-33896 is a vulnerability in Forge, also known as node-forge, a JavaScript implementation of Transport Layer Security. Prior to version 1.4.0, the pki.verifyCertificateChain() function does not enforce RFC 5280 basicConstraints requirements for intermediate certificates that lack both the basicConstraints and keyUsage extensions. This allows any leaf certificate without these extensions to act as a certificate authority and sign other certificates, which node-forge accepts as valid. The issue is classified under CWE-295 (Improper Certificate Validation) with a CVSS v3.1 score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remote attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By crafting a malicious certificate chain where a leaf certificate impersonates a CA, attackers can bypass certificate chain validation in applications using node-forge, potentially enabling man-in-the-middle attacks that compromise the confidentiality and integrity of TLS-protected communications.

The GitHub security advisory GHSA-2328-f5f3-gj25 and commit 2e492832fb25227e6b647cbe1ac981c123171e90 confirm that version 1.4.0 patches the issue by enforcing the missing RFC 5280 requirements. Security practitioners should upgrade affected Forge instances to 1.4.0 or later to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any…

more

leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability enables forged certificate chains to pass validation (CWE-295), directly facilitating man-in-the-middle attacks on TLS sessions as described in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33895Same product: Digitalbazaar Forge
CVE-2026-33891Same product: Digitalbazaar Forge
CVE-2026-33894Same product: Digitalbazaar Forge
CVE-2026-33810Shared CWE-295
CVE-2026-42012Shared CWE-295
CVE-2025-0500Shared CWE-295
CVE-2024-11621Shared CWE-295
CVE-2025-70043Shared CWE-295
CVE-2026-4396Shared CWE-295
CVE-2026-25160Shared CWE-295

Affected Assets

digitalbazaar
forge
≤ 1.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and acceptance of PKI certificates per defined requirements, directly addressing the improper certificate chain validation lacking RFC 5280 basicConstraints enforcement in node-forge.

prevent

Mandates identification, reporting, and timely correction of software flaws such as CVE-2026-33896 by upgrading node-forge to version 1.4.0 or later.

detect

Provides for vulnerability scanning to identify instances of vulnerable node-forge versions, enabling remediation before exploitation in TLS communications.

References