CVE-2026-50076
Deserialization of Untrusted Data in Apache Fory fory-core Java SDK
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | fory-core | From 1.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves deserialization of untrusted data in the Java replace-resolve path within the Apache Fory fory-core Java SDK versions before 1.1.0. It allows a remote attacker to bypass important security checks such as class registration, TypeChecker, and DisallowedList. By exploiting this, the attacker can invoke certain Java hooks like readResolve or readExternal that are present in the classpath using specially crafted serialized data.
How can this vulnerability impact me? :
The vulnerability can allow a remote attacker to execute unauthorized code or manipulate the deserialization process by bypassing security checks. This can lead to potential remote code execution or other malicious behaviors within applications using the affected Apache Fory fory-core Java SDK versions prior to 1.1.0.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to version 1.1.0 or later of the Apache Fory fory-core Java SDK, which fixes this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-50076 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.