CVE-2026-33701

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

CVSS

No CVSS.

References

Link	Resource
https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197
https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1
https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-27 01:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33701

Mitre link : CVE-2026-33701

CVE.ORG link : CVE-2026-33701

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-33701", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-27T01:16:19.313", "references": [{"url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197", "source": "security-advisories@github.com"}, {"url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1", "source": "security-advisories@github.com"}, {"url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration."}, {"lang": "es", "value": "OpenTelemetry Java Instrumentation proporciona auto-instrumentaci\u00f3n de OpenTelemetry y bibliotecas de instrumentaci\u00f3n para Java. En versiones anteriores a la 2.26.1, la instrumentaci\u00f3n RMI registr\u00f3 un punto final personalizado que deserializaba los datos entrantes sin aplicar filtros de serializaci\u00f3n. En la versi\u00f3n 16 de JDK y anteriores, un atacante con acceso de red a un puerto JMX o RMI en una JVM instrumentada podr\u00eda explotar esto para lograr potencialmente la ejecuci\u00f3n remota de c\u00f3digo. Las tres condiciones siguientes deben cumplirse para explotar esta vulnerabilidad: Primero, la instrumentaci\u00f3n de OpenTelemetry Java est\u00e1 adjunta como un agente Java ('-javaagent') en Java 16 o anterior. Segundo, el puerto JMX/RMI ha sido configurado expl\u00edcitamente a trav\u00e9s de '-Dcom.sun.management.jmxremote.port' y es accesible por red. Tercero, una biblioteca compatible con cadenas de gadgets est\u00e1 presente en el classpath. Esto resulta en ejecuci\u00f3n remota de c\u00f3digo arbitraria con los privilegios del usuario que ejecuta la JVM instrumentada. Para JDK >= 17, no se requiere ninguna acci\u00f3n, pero se recomienda encarecidamente la actualizaci\u00f3n. Para JDK < 17, actualice a la versi\u00f3n 2.26.1 o posterior. Como soluci\u00f3n alternativa, establezca la propiedad del sistema '-Dotel.instrumentation.rmi.enabled=false' para deshabilitar la integraci\u00f3n RMI."}], "lastModified": "2026-03-30T13:26:29.793", "sourceIdentifier": "security-advisories@github.com"}