RMI Deserialization Flaw in OpenTelemetry Java Instrumentation Affects Java Users
CVE-2026-33701
What is CVE-2026-33701?
The OpenTelemetry Java Instrumentation prior to version 2.26.1 contains a vulnerability related to RMI instrumentation where it fails to apply serialization filters during deserialization of incoming data. This flaw allows an attacker with network access to an instrumented JVM’s JMX or RMI port (configured via '-Dcom.sun.management.jmxremote.port') to exploit the vulnerability under certain conditions. Specifically, if the Java agent is attached, the JMX/RMI port is accessible, and a compatible gadget-chain library is present on the classpath, it could lead to arbitrary remote code execution with the privileges of the JVM user. Upgrading to version 2.26.1 or later is strongly advised for those using Java 16 or below. For users on JDK 17 or newer, no immediate action is necessary but upgrading is still recommended.
Affected Version(s)
opentelemetry-java-instrumentation < 2.26.1
