Critical Node-Forge Flaw: CVE-2026-33896 Allows Unauthorized Certificate Authority Spoofing

A critical security vulnerability in the widely-used `node-forge` cryptography library allows any leaf certificate to illegitimately act as a Certificate Authority (CA). The flaw, tracked as CVE-2026-33896, resides in the `pki.verifyCertificateChain()` function. It fails to enforce mandatory RFC 5280 `basicConstraints` requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This omission creates a dangerous loophole in the chain of trust.

This vulnerability fundamentally undermines the integrity of certificate validation. In practice, a malicious actor could exploit this weakness to sign and issue fraudulent certificates that would be incorrectly validated as legitimate by the affected library. The issue is present in versions prior to 1.4.0, prompting an urgent security advisory from the maintainers at Digital Bazaar. The fix is contained in the newly released node-forge version 1.4.0, which now correctly enforces the required constraints.

The implications are severe for any application or service relying on `node-forge` for TLS/SSL, code signing, or any form of PKI-based authentication. The flaw could facilitate man-in-the-middle attacks, spoofing of trusted services, or the signing of malicious code. This vulnerability highlights the critical, often overlooked, dependencies within the software supply chain and the cascading risks they pose. Immediate patching to version 1.4.0 is the only mitigation.