CVE-2026-33896

Name of the Vulnerable Software and Affected Versions Forge versions prior to 1.4.0

Description Forge, a native implementation of Transport Layer Security in JavaScript, has an issue where the pki.verifyCertificateChain() function does not properly enforce RFC 5280 basicConstraints requirements. Specifically, when an intermediate certificate is missing both the basicConstraints and keyUsage extensions, any leaf certificate can act as a Certificate Authority (CA) and sign other certificates, which Forge will incorrectly accept as valid. This bypass allows for the creation of untrusted certificate chains.

Recommendations Update to Forge version 1.4.0 or later.