CVE-2026-48207: Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement

Q: What is the severity of CVE-2026-48207?

CVE-2026-48207 has a critical severity rating of 9.8 according to the CVSS 3.1 metrics.

Q: How do I fix CVE-2026-48207?

To mitigate CVE-2026-48207, ensure that you update Apache Fory to the latest version that addresses this vulnerability.

Q: What are the potential impacts of CVE-2026-48207?

CVE-2026-48207 could allow an attacker to perform unauthorized actions by deserializing untrusted data, leading to potential data loss or corruption.

Q: Which Apache Fory versions are affected by CVE-2026-48207?

CVE-2026-48207 affects versions of Apache Fory that utilize the PyFory ReduceSerializer for data deserialization.

Q: Is user interaction required to exploit CVE-2026-48207?

No user interaction is required to exploit CVE-2026-48207; it can be executed remotely by an attacker.

Published May 21, 2026

Updated

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Affected Software

1 affected component

Apache Fory<1.0.0

Event History

May 21, 2026

CVE Published

via MITRE·03:51 PM

Data Sourced

via MITRE·03:51 PM

DescriptionWeakness

Data Sourced

via NVD·05:16 PM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2026-48207?

CVE-2026-48207 has a critical severity rating of 9.8 according to the CVSS 3.1 metrics.

How do I fix CVE-2026-48207?

To mitigate CVE-2026-48207, ensure that you update Apache Fory to the latest version that addresses this vulnerability.

What are the potential impacts of CVE-2026-48207?

CVE-2026-48207 could allow an attacker to perform unauthorized actions by deserializing untrusted data, leading to potential data loss or corruption.

Which Apache Fory versions are affected by CVE-2026-48207?

CVE-2026-48207 affects versions of Apache Fory that utilize the PyFory ReduceSerializer for data deserialization.

Is user interaction required to exploit CVE-2026-48207?

No user interaction is required to exploit CVE-2026-48207; it can be executed remotely by an attacker.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.