Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass
CVE-2026-50076

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Fory
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-50076?

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.

Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

Affected Version(s)

Apache Fory 0 < 1.1.0

References

https://fory.apache.org/security

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 3, 2026

Credit

Venkatraman Kumar (r3dw0lfsec), Securin

CVE-2026-50076 Data

JSON