Apache Fory Deserialization Flaw Lets Attackers Bypass Java Safety Checks
Apache disclosed CVE-2026-50076, an important- to high-severity deserialization vulnerability in the Java SDK of Apache Fory that affects org.apache.fory:fory-core versions before 1.1.0. The flaw lies in the Java ReplaceResolverSerializer replace-resolve path, where incomplete verification allows crafted Fory serialized data to bypass class registration requirements, TypeChecker enforcement, and DisallowedList protections during deserialization.
If an application processes untrusted external data streams, a remote attacker can trigger classpath-present readResolve and readExternal hooks on Java/JVM systems, creating a path to unauthorized code execution on backend servers. Apache fixed the issue in version 1.1.0 by adding stricter sanitization checks before deserialization and advised users to upgrade immediately and review deployments that deserialize externally supplied data; the vulnerability was reported by Venkatraman Kumar (r3dw0lfsec) of Securin.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apache Fory 1.1.0 released to fix CVE-2026-50076
Apache Fory maintainers released version 1.1.0 or later as the remediation for CVE-2026-50076. The fix adds stricter sanitization checks before deserialization to prevent the ReplaceResolverSerializer bypass.
Apache discloses CVE-2026-50076 in Apache Fory Java SDK
Apache disclosed CVE-2026-50076, an important-severity deserialization vulnerability in the Java replace-resolve path of fory-core that can let crafted serialized data bypass class registration, TypeChecker, and DisallowedList protections. The issue was credited to Venkatraman Kumar (r3dw0lfsec) of Securin.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
May 25, 2026
Apache Fesod SSRF Flaw in UrlImageConverter Patched
Apache disclosed **CVE-2026-49328**, an important-severity server-side request forgery (**SSRF**) vulnerability in Apache Fesod (Incubating) affecting the `fesod-sheet` package before version `2.0.2-incubating`. The flaw resides in the `UrlImageConverter` component, where improper validation of user-supplied image URLs can cause the server to make outbound requests to internal or otherwise restricted resources. The issue was reported by Xu Han and is tracked in Apache Fesod issue or pull request `#917`. The vulnerability could let attackers probe enterprise backend systems or private cloud endpoints that are not directly exposed to the internet, increasing the risk of internal network access and information exposure. Apache has released **version `2.0.2-incubating`** to remediate the bug with stricter validation of user-supplied parameters, and defenders are being urged to upgrade promptly; where immediate patching is not possible, restricting unusual outbound server connections can help reduce exposure.
Jun 2, 2026
Apache ActiveMQ Flaws Enable Path Traversal and TLS DoS
Apache disclosed two vulnerabilities affecting multiple **ActiveMQ** components, including Client, Broker, and bundled distributions. **CVE-2026-33227** is a low-severity pathname restriction flaw that lets an authenticated user manipulate a supplied `key` value to traverse the classpath in two cases: when creating a **STOMP** consumer and when browsing messages through the web console. Apache warned the issue could expose classpath resource loading and potentially be chained with another attack. The flaw affects the 5.x branch before **5.19.3** and the 6.x branch from **6.0.0** before **6.2.2**, but Apache said those initial fixes were incomplete on Windows because of path separator handling, and recommended upgrading instead to **5.19.4** or **6.2.3**. Apache also published **CVE-2026-39304**, an important denial-of-service flaw in ActiveMQ's **NIO SSL transports** caused by incorrect handling of **TLS 1.3 `KeyUpdate`** messages. A client can repeatedly trigger updates and exhaust broker memory in the SSL engine, causing out-of-memory crashes and service disruption. Apache added that related handshake handling is also broken for earlier TLS versions such as **TLS 1.2**, though those cases lead to hung connections rather than memory exhaustion. The DoS issue affects the 5.x branch before **5.19.4** and the 6.x branch from **6.0.0** before **6.2.4**; users are advised to upgrade to **5.19.5** or **6.2.4**.
Apr 9, 2026