RMI Deserialization Flaw in OpenTelemetry Java Instrumentation Affects Java Users
CVE-2026-33701

9.3CRITICAL

Key Information:

Vendor
CVE Published:
27 March 2026

What is CVE-2026-33701?

The OpenTelemetry Java Instrumentation prior to version 2.26.1 contains a vulnerability related to RMI instrumentation where it fails to apply serialization filters during deserialization of incoming data. This flaw allows an attacker with network access to an instrumented JVM’s JMX or RMI port (configured via '-Dcom.sun.management.jmxremote.port') to exploit the vulnerability under certain conditions. Specifically, if the Java agent is attached, the JMX/RMI port is accessible, and a compatible gadget-chain library is present on the classpath, it could lead to arbitrary remote code execution with the privileges of the JVM user. Upgrading to version 2.26.1 or later is strongly advised for those using Java 16 or below. For users on JDK 17 or newer, no immediate action is necessary but upgrading is still recommended.

Affected Version(s)

opentelemetry-java-instrumentation < 2.26.1

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.