PatchSiren cyber security CVE debrief

CVE-2026-50076 Apache CVE debrief

CVE-2026-50076 is a Deserialization of Untrusted Data vulnerability in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms. This vulnerability allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. The CVSS score for this vulnerability is 9.1, indicating a Critical severity level.

Vendor: Apache
Product: Fory
CVSS: CRITICAL 9.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-04
Original CVE updated: 2026-06-08
Advisory published: 2026-06-04
Advisory updated: 2026-06-08

Who should care

Users of Apache Fory fory-core Java SDK before version 1.1.0 on Java/JVM platforms should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability is caused by the deserialization of untrusted data in the Java replace-resolve path. This allows an attacker to bypass security checks and invoke potentially malicious code.

Defensive priority

High

Recommended defensive actions

Upgrade to version 1.1.0 or later of Apache Fory fory-core Java SDK.
Refer to [ref-4](https://fory.apache.org/security) for vendor advisory and [ref-5](http://www.openwall.com/lists/oss-security/2026/06/04/4) for additional information.

Evidence notes

The information provided is based on the official CVE record [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-50076) and the NVD detail [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-50076).

Official resources

CVE-2026-50076 CVE record
CVE.org
CVE-2026-50076 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory

CVE-2026-50076 was published on 2026-06-04T17:16:33.390Z and modified on 2026-06-08T13:00:55.350Z.