A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine.
Red Hat recommends not to include self-signed server certificates in system trust bundle, even with CA:FALSE, as they are considered full-fledged Certificate Authorities.