How is CVE-2026-50076 exploited?

Network reachability (required): The attacker must reach the Fory deserialization endpoint over the network; any internet- or intranet-exposed service accepting Fory serialized data is in scope. Authentication (not-required): No credentials or session token are needed; the attacker submits crafted serialized payloads as an anonymous caller. Victim interaction (not-required): The exploit is fully server-side and requires no action from a user or administrator on the target system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or specific memory layout requirements.

What is the impact of CVE-2026-50076?

A successful attacker reads confidential application data, including session material, credentials, and any objects reachable through readResolve or readExternal hooks on the server classpath. A successful attacker modifies server-side state by invoking writable hooks during deserialization, enabling tampering with persisted records or in-memory application objects. The bypass of TypeChecker and DisallowedList controls removes the primary defense layer, so any class present on the JVM classpath becomes a usable gadget chain target.

Back to search

CRITICALCVE-2026-50076Published 2026-06-04Modified 2026-06-04CNA apache

CVE-2026-50076: Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 1.1.0
Affected Products: 1

HarborGuard Analysis

Synopsis

Deserialization of untrusted data in Apache Fory's Java replace-resolve path allows a remote attacker with no authentication to bypass class registration, TypeChecker, and DisallowedList protections and invoke arbitrary readResolve/readExternal hooks on the server. The vulnerability is reachable over the network and requires no user interaction, enabling full read and write access to application data. A patched-image rebuild at version 1.1.0 is available on HarborGuard for environments running an affected version of fory-core.

HarborGuard Coverage

Detection

Detection of CVE-2026-50076 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images containing the fory-core Java SDK below version 1.1.0.

Available

Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 critical rating of 9.1 and weighting it against each customer environment's compliance policy to route alerts to the appropriate team inbox without manual classification.

Available

Patch

A patched-image rebuild at fory-core 1.1.0 becomes available on HarborGuard once affected images are identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Fory deserialization endpoint over the network; any internet- or intranet-exposed service accepting Fory serialized data is in scope.
AuthenticationNot required
No credentials or session token are needed; the attacker submits crafted serialized payloads as an anonymous caller.
Victim interactionNot required
The exploit is fully server-side and requires no action from a user or administrator on the target system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or specific memory layout requirements.

Blast Radius

A successful attacker reads confidential application data, including session material, credentials, and any objects reachable through readResolve or readExternal hooks on the server classpath.
A successful attacker modifies server-side state by invoking writable hooks during deserialization, enabling tampering with persisted records or in-memory application objects.
The bypass of TypeChecker and DisallowedList controls removes the primary defense layer, so any class present on the JVM classpath becomes a usable gadget chain target.

How HarborGuard Handles This

Available on HarborGuard: images containing fory-core below 1.1.0 are flagged at the CRITICAL severity level as soon as the CVE is matched during a scan cycle. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at fory-core 1.1.0, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a full dependency diff are staged and waiting for engineer sign-off. Customers who cannot immediately upgrade should consider applying network-policy rules to restrict which callers can submit serialized payloads to Fory-consuming services, reducing the over-the-network attack surface while a rebuild is prepared.

See how HarborGuard automates this

Fix available

1.1.0

Affected packages

Apache Software Foundation / Apache Fory
< 1.1.0 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

fory.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available