Skip to main content

Apache Fory CVE-2026-50076

| EUVD-2026-34300 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-04 GHSA-8f39-v287-78jf
Apache Deserialization Java
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 04, 2026 - 18:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 18:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 18:22 NVD
9.1 (CRITICAL)
Patch available
Jun 04, 2026 - 18:01 EUVD
Analysis Generated
Jun 04, 2026 - 16:20 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the framework's class registration, TypeChecker, and DisallowedList security controls on Java/JVM platforms. By crafting malicious Fory-serialized payloads that exercise the replace-resolve path, an attacker can invoke arbitrary readResolve/readExternal hooks on any class present on the classpath, enabling gadget-chain abuse without authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify service deserializing Fory data
Delivery
Craft Fory blob exercising replace-resolve path
Exploit
Submit payload to network endpoint
Execution
Bypass class registration, TypeChecker, DisallowedList
Persist
Trigger readResolve/readExternal on classpath gadget
Impact
Execute gadget chain for RCE or data exfiltration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application embed Apache Fory fory-core (Java SDK) at a version below 1.1.0, run on a Java/JVM platform, and deserialize Fory-formatted data that an attacker can influence - typically a network-reachable endpoint, message-queue consumer, or cache loader that accepts Fory payloads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates a network-reachable, low-complexity, unauthenticated, no-user-interaction attack with high confidentiality and integrity impact but no direct availability impact - a profile typical for deserialization gadget chains that pivot to data theft or code execution rather than crashing the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted Fory-serialized blob to any service that deserializes untrusted Fory data - for example, an internal RPC endpoint, a Kafka topic consumer, or a cache that hydrates Fory objects from Redis. The payload exercises the replace-resolve path to slip past Fory's class-registration, TypeChecker, and DisallowedList controls and reaches a classpath-present gadget class whose readResolve or readExternal method drives a chain to arbitrary command execution or sensitive data disclosure. …
Remediation The primary remediation is to upgrade fory-core to vendor-released patch version 1.1.0 or later, which the Apache Fory project has identified as the fix for this issue (see https://fory.apache.org/security and the oss-security disclosure at https://seclists.org/oss-sec/2026/q2/808). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct asset discovery to identify all Java applications using Apache Fory fory-core; categorize by environment and criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
CVE-2026-41717 HIGH
8.1 Jun 10

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin

Share

CVE-2026-50076 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy