Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass_CVE-2026-50076

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.

Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

AI Analysis

Deserialization of Untrusted Data vulnerability in Apache Fory Java SDK

Basic Information

ID CVE-2026-50076

Source apache

Published Jun 4, 2026 at 16:09

Modified Jun 4, 2026 at 17:01

Affected Product

Vendor Apache Software Foundation

Product Apache Fory

Affected Versions Apache Software Foundation Apache Fory 0

CWE Classification

CWE-502

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Apache Software Foundation

Product Apache Fory Java SDK

References

fory.apache.org /security

{
    "lastseen": "",
    "description": "Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.\n\nUsers are recommended to upgrade to version 1.1.0 or later, which fixes this issue.",
    "published": "2026-06-04T16:09:03.212Z",
    "modified": "2026-06-04T17:01:57.229Z",
    "type": "cve",
    "title": "Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass",
    "source": "apache",
    "references": "https://fory.apache.org/security",
    "id": "CVE-2026-50076",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Fory 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Fory",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Deserialization of Untrusted Data vulnerability in Apache Fory Java SDK",
    "ai_severity": "Critical",
    "ai_vendor": "Apache Software Foundation",
    "ai_product": "Apache Fory Java SDK",
    "ai_version": "0",
    "ai_score": 9.1
}