CVE-2026-33894 Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

🗓️ 27 Mar 2026 20:45:49Reported by GoogleType

osv

osv🔗 osv.dev

Forge before 1.4.0 allows Bleichenbacher RSA PKCS#1 v1.5 forgery via extra ASN.1 bytes.

Reporter	Title	Published	Views	Family All 50
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution, loss of confidentiality and denial of service	6 May 202613:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses node-forge-1.3.2.tgz, node-forge-1.3.3.tgz which is vulnerable to CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896	5 May 202612:43	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of node-forge-1.3.1.tgz, IBM Sterling Connect:Direct Web Services is affected by Denial of Service (DoS).	2 Jun 202612:04	–	ibm
ATTACKERKB	CVE-2026-33894	27 Mar 202620:45	–	attackerkb
Chainguard	CVE-2026-33894 vulnerabilities	31 Mar 202619:17	–	cgr
Circl	CVE-2026-33894	26 Mar 202622:02	–	circl
CNNVD	Digital Bazaar Forge 数据伪造问题漏洞	27 Mar 202600:00	–	cnnvd
CVE	CVE-2026-33894	27 Mar 202620:45	–	cve
Cvelist	CVE-2026-33894 Forge has signature forgery in RSA-PKCS due to ASN.1 extra field	27 Mar 202620:45	–	cvelist
Github Security Blog	Forge has signature forgery in RSA-PKCS due to ASN.1 extra field	26 Mar 202622:02	–	github

Source	Link
datatracker	www.datatracker.ietf.org/doc/html/rfc2313
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33894.json
github	www.github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp
mailarchive	www.mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-33894
rfc-editor	www.rfc-editor.org/rfc/rfc8017.html

10 Apr 2026 05:42Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.17.5

EPSS0.00038

signature forgery pkcs one five bleichenbacher forgery