Description
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.

Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
Published: 2026-06-04
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the deserialization path of Apache Fory’s replace‑resolve feature. It allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks, enabling the invocation of readResolve/readExternal hooks for classes already present on the application classpath. This flaw can lead to arbitrary code execution and is classified as CWE‑502.

Affected Systems

Apache Software Foundation’s Apache Fory fory‑core Java SDK on Java/JVM platforms. Versions prior to 1.1.0 are affected.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not yet listed in CISA KEV, indicating no known public exploits at this time. However, the CVSS score of 9.1 points to a high severity flaw, and because the attack vector relies on the transmission of crafted serialized data—possible over network interfaces or file uploads—the risk of exploitation remains high. The flaw permits full compromise of affected applications when executed.

Generated by OpenCVE AI on June 4, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Apache Fory fory‑core Java SDK to version 1.1.0 or later.
  • If an upgrade cannot be performed immediately, restrict deserialization to trusted data sources and enforce a strict whitelist of allowable classes in the application’s deserialization logic.
  • Deploy monitoring to detect unauthorized deserialization attempts and review logs for suspicious activity.

Generated by OpenCVE AI on June 4, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
Title Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass
Weaknesses CWE-502
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-04T17:01:57.229Z

Reserved: 2026-06-03T12:46:29.360Z

Link: CVE-2026-50076

cve-icon Vulnrichment

Updated: 2026-06-04T17:01:57.229Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T17:16:33.390

Modified: 2026-06-04T19:15:17.327

Link: CVE-2026-50076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T18:30:16Z

Weaknesses