PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48207 Apache Software Foundation CVE debrief

CVE-2026-48207 is a critical deserialization weakness in Apache Fory PyFory before 1.0.0. According to the Apache security notice and NVD, ReduceSerializer could bypass documented DeserializationPolicy validation during reduce-state restoration and global-name resolution, which matters when applications deserialize attacker-controlled data in Python-native mode with strict mode disabled.

Vendor
Apache Software Foundation
Product
Apache Fory
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Organizations using Apache Fory PyFory in Python-native mode, especially deployments that deserialize untrusted or externally influenced data and rely on DeserializationPolicy to block unsafe classes, functions, or module attributes.

Technical summary

The issue affects Apache Fory versions before 1.0.0. In the affected PyFory ReduceSerializer paths, deserialization could bypass the intended DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. The supplied sources map this to CWE-502 and NVD lists a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high-impact flaw when attacker-controlled payloads reach the deserialization path. Apache states that version 1.0.0 enforces DeserializationPolicy validation for the affected paths and fixes the issue.

Defensive priority

Immediate. Treat as a critical deserialization vulnerability and prioritize upgrading to Apache Fory 1.0.0 or later.

Recommended defensive actions

  • Upgrade Apache Fory / PyFory to version 1.0.0 or later as recommended by Apache.
  • Identify any applications that deserialize attacker-controlled or externally sourced data through PyFory Python-native mode.
  • Review assumptions around DeserializationPolicy enforcement, especially where strict mode is disabled.
  • Validate that any compensating controls do not depend solely on DeserializationPolicy for blocking unsafe classes, functions, or module attributes.
  • Monitor for additional vendor guidance or follow-up advisories linked from the Apache security notice.

Evidence notes

The Apache security notice explicitly names CVE-2026-48207 and states that versions before 1.0.0 are affected, with 1.0.0 fixing the issue by enforcing DeserializationPolicy validation for the affected ReduceSerializer paths. NVD lists the vulnerability as CVSS 9.8 Critical, CWE-502, and references both the Apache security notice and the oss-security post. NVD also marks the record as undergoing analysis at the time of the supplied source snapshot.

Official resources

Publicly disclosed on 2026-05-21, with both the CVE publication and last modification timestamps supplied as 2026-05-21T17:16:21.857Z and 2026-05-21T19:16:53.700Z respectively.