CVE-2026-50076
CriticalCVSS 9.1Summary
Apache Fory (foray-core Java SDK before version 1.1.0) has a vulnerability in deserialization of untrusted data, allowing a remote attacker to bypass class registration checks and invoke unsafe methods.
Risk Assessment
An attacker could exploit this vulnerability to perform unauthorized operations on data, potentially leading to serious security breaches in the system.
Recommendation
It is recommended to upgrade to version 1.1.0 or later to mitigate this vulnerability.
Original NVD description (English source)
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

