VYPR
High severity7.4NVD Advisory· Published Mar 27, 2026· Updated Apr 14, 2026

CVE-2026-33896

CVE-2026-33896

Description

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
node-forgenpm
< 1.4.01.4.0

Affected products

31

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.