CVE-2026-33701
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
Description
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) 2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service) 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation Upgrade to version 2.26.1 or later. ### Workarounds Set the following system property to disable the RMI integration: ``` -Dotel.instrumentation.rmi.enabled=false ``` ### Credits This vulnerability was responsibly disclosed in coordination with Datadog.
How to fix CVE-2026-33701
To remediate CVE-2026-33701, upgrade the affected package to a fixed version below.
- —upgrade to 2.26.1 or later
Is CVE-2026-33701 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.26.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (5)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33701
- PATCHgithub.com/open-telemetry/opentelemetry-java-instrumentation
- WEBgithub.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197
- WEBgithub.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1