Critical

Apache Fory fory-core Java SDK replace-resolve deserialization checks bypass

IdentifiersCVE-2026-50076CWE-502· Deserialization of Untrusted Data

CVE-2026-50076 is a deserialization of untrusted data vulnerability in the Java replace-resolve path of Apache Fory fory-core on Java/JVM platforms. It affects org.apache.fory:fory-core versions before 1.1.0. By supplying crafted Fory serialized data, a remote attacker can bypass multiple intended deserialization safeguards, specifically class registration enforcement, TypeChecker validation, and DisallowedList checks. Successful exploitation can cause invocation of classpath-present readResolve and readExternal hooks during deserialization, creating a dangerous execution path in applications that deserialize untrusted external data using the affected library.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to defeat Apache Fory’s deserialization safety controls and reach classpath-available readResolve/readExternal hooks. This can expose backend systems to unauthorized code execution or other attacker-controlled logic execution depending on the classes available on the target classpath. The provided CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates network-reachable exploitation with no privileges or user interaction required, and high confidentiality and integrity impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by preventing applications from deserializing untrusted or externally supplied Fory serialized data, especially across network-facing endpoints. Restrict or disable affected deserialization paths where feasible and review deployments for reachable services using the vulnerable fory-core library. However, the provided advisory does not describe a complete workaround; upgrading to 1.1.0 or later is the primary mitigation.

Remediation

Patch, then assume compromise.

Upgrade Apache Fory fory-core Java SDK to version 1.1.0 or later. Apache states that version 1.1.0 fixes this issue, including stricter verification/sanitization in the affected deserialization path. Organizations should also audit dependency trees and identify applications or endpoints that accept untrusted Fory-serialized input.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

security online infoNews

Jun 4, 2026

Apache Fory Vulnerability: Security Patches Released

A high-severity remote code execution vulnerability in Apache Fory caused by incomplete verification during deserialization, allowing crafted data streams to bypass protections and trigger dangerous classpath-present hooks such as readResolve or readExternal.

cvefeed high severityNews

Jun 4, 2026

CVE-2026-50076 - Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

A deserialization of untrusted data vulnerability in the Java replace-resolve path of Apache Fory fory-core Java SDK before 1.1.0 that allows a remote attacker to bypass security checks and invoke classpath-present readResolve/readExternal hooks using crafted serialized data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-50076

NVD

nvd.nist.gov/vuln/detail/CVE-2026-50076

MITRE CWE · CWE-502

Deserialization of Untrusted Data

openwall.com

openwall.com/lists/oss-security/2026/06/04/4

fory.apache.org

fory.apache.org/security