CVE-2026-33728
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
Description
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier 2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation - For JDK >= 17: No action is required, but upgrading is strongly encouraged. - For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later. - For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below. ### Workarounds Set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false` ### Credits This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.
How to fix CVE-2026-33728
To remediate CVE-2026-33728, upgrade the affected package to a fixed version below.
- —upgrade to 1.60.3 or later
Is CVE-2026-33728 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.40.0, < 1.60.3