CVE-2026-33896 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

🗓️ 27 Mar 2026 20:50:03Reported by GitHub_MType

Forge CVE-2026-33896 lets leaf certificates without basicConstraints or keyUsage act as CAs; fixed 1.4.0.

Reporter	Title	Published	Views	Family All 50
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Data Product Hub	24 Apr 202616:22	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution, loss of confidentiality and denial of service	6 May 202613:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses node-forge-1.3.2.tgz, node-forge-1.3.3.tgz which is vulnerable to CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896	5 May 202612:43	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of node-forge-1.3.1.tgz, IBM Sterling Connect:Direct Web Services is affected by Denial of Service (DoS).	2 Jun 202612:04	–	ibm
ATTACKERKB	CVE-2026-33896	27 Mar 202620:50	–	attackerkb
Chainguard	CVE-2026-33896 vulnerabilities	31 Mar 202619:17	–	cgr
Circl	CVE-2026-33896	26 Mar 202622:05	–	circl
CNNVD	Digital Bazaar Forge 信任管理问题漏洞	27 Mar 202600:00	–	cnnvd
CVE	CVE-2026-33896	27 Mar 202620:50	–	cve
Github Security Blog	Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)	26 Mar 202622:05	–	github

[
  {
    "vendor": "digitalbazaar",
    "product": "forge",
    "versions": [
      {
        "version": "< 1.4.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90
github	www.github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25

27 Mar 2026 20:50Current

CVSS 3.17.4

EPSS0.00185

CWE-295