โ† Back to Cyber Intelligence News
Live Threat Intelligence API โ€” Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence VULNERABILITY

CVE-2026-33895 in Forge: High-Severity Cryptographic Flaws with Low Exploitation Probability

๐Ÿ“… April 01, 2026 ๐Ÿ”ด Exploit Risk: 0.300 ๐Ÿ“Š Intelligence Score: 74/100 ๐Ÿ“ฐ 2 sources synthesized
TL;DR โ€” Read this first
Intelligence Metadata
First Reported Bymsrc.microsoft.com
Outbreak Velocity0 minutes spread to 1 unique domains
Consensus1 sources across 1 unique domains
CVSS Score7.5
EPSS Score0.00035 (0.035th percentile)
CISA KEV StatusNot Listed
Exploit Risk Score0.3001
Race LabelNOT IN KEV

Technical Analysis

Two distinct vulnerabilities have been identified in the Forge product's cryptographic implementation. The first, CVE-2026-33895, is a signature forgery flaw within its Ed25519 algorithm. The vulnerability stems from a missing check to ensure a scalar component of the signature (S) is less than the group order (L). This omission could allow an attacker to craft a valid signature for an arbitrary message, undermining data integrity and authentication controls that rely on this algorithm.

The second vulnerability, CVE-2026-33896, is a certificate chain validation bypass that violates RFC 5280. The Forge library fails to correctly enforce the `basicConstraints` extension in X.509 certificates. This could permit an intermediate certificate that is not designated as a Certificate Authority (CA:FALSE) to be used to sign a subsequent certificate in the chain. An attacker in a position to inject such a malformed certificate could potentially execute man-in-the-middle (MITM) attacks by presenting a seemingly valid, but unauthorized, certificate chain.

Affected Systems

Vendor: Forge
Affected Versions:
  • Forge
Exposure: Systems relying on the Forge library for cryptographic functions, including secure communications (TLS/SSL), data integrity checks, or identity verification using Ed25519 signatures or X.509 certificate chains.
Blast Radius: The blast radius is dependent on the deployment of Forge within an enterprise. Critical systems using Forge for authentication or secure communication protocols are the most at risk. Specific affected versions were not provided in the source material.

Intelligence Context

The threat profile for these vulnerabilities is currently low despite their high CVSS base scores (7.5 and 7.4). The primary indicator of low risk is the extremely low EPSS score of 0.035% for CVE-2026-33895, which signals a very low probability of exploitation being observed in the wild. This is corroborated by the absence of these CVEs from the CISA KEV catalog. The intelligence signals originate from a single source (msrc.microsoft.com) with no independent confirmation, flagged for potential manipulation due to its high burst from a single origin. For defenders, this translates to a 'monitor and wait' posture. The vulnerabilities are technically severe but lack the key ingredients for immediate prioritization: a public proof-of-concept exploit and active attacker interest.

Remediation & Defense

Monitor for vendor advisories and patch availability. Due to the low probability of exploitation, immediate patching is not warranted. Plan to patch systems based on standard risk and exposure assessments once a fix is released.
Patch Status: Not available
Patch Version: Not available
Workarounds:
  • Not available
Detection Hints:
  • For CVE-2026-33896, monitor certificate validation logs for chains where an intermediate certificate lacks the `basicConstraints` CA:TRUE flag but is used to sign another certificate.
  • For CVE-2026-33895, direct detection of exploitation is difficult. The primary mitigation is to identify all assets using the vulnerable Forge library via software bill of materials (SBOM) or dependency analysis.

Source Timeline

CVE-2026-33895 CVE-2026-33896 Forge vulnerability cryptography signature-forgery certificate-bypass