Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <8182878e-8b18-c89a-48eb-deb9e3860531@apache.org>
Date: Thu, 04 Jun 2026 09:08:28 +0000
From: Chaokun Yang <chaokunyang@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-50076: Apache Fory: Java ReplaceResolverSerializer
 deserialization checks bypass 

Severity: important 

Affected versions:

- Apache Fory (org.apache.fory:fory-core) before 1.1.0

Description:

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.

Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

Credit:

Venkatraman Kumar (r3dw0lfsec), Securin (reporter)

References:

https://fory.apache.org/security
https://fory.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-50076

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.