CVE Catalog

CVE-2026-50076

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Summary

Apache Fory (foray-core Java SDK before version 1.1.0) has a vulnerability in deserialization of untrusted data, allowing a remote attacker to bypass class registration checks and invoke unsafe methods.

Risk Assessment

An attacker could exploit this vulnerability to perform unauthorized operations on data, potentially leading to serious security breaches in the system.

Recommendation

It is recommended to upgrade to version 1.1.0 or later to mitigate this vulnerability.

Original NVD description (English source)

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS