{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33701", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.746Z", "datePublished": "2026-03-27T00:01:12.327Z", "dateUpdated": "2026-03-27T13:52:22.536Z"}, "containers": {"cna": {"title": "OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7"}, {"name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197"}, {"name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-java-instrumentation", "versions": [{"version": "< 2.26.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:01:12.327Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration."}], "source": {"advisory": "GHSA-xw7x-h9fj-p2c7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:26:02.475553Z", "id": "CVE-2026-33701", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:52:22.536Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33701", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:26:02.475553Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:26:05.882Z"}}], "cna": {"title": "OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution", "source": {"advisory": "GHSA-xw7x-h9fj-p2c7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-java-instrumentation", "versions": [{"status": "affected", "version": "< 2.26.1"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7", "name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197", "name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1", "name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:01:12.327Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33701", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:52:22.536Z", "dateReserved": "2026-03-23T17:06:05.746Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T00:01:12.327Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:*:*:*:*:*:*:*:*", "matchCriteriaId": "E54EFE1C-1E2D-4BBC-838A-9A29C0836C3A", "versionEndExcluding": "2.26.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration."}, {"lang": "es", "value": "OpenTelemetry Java Instrumentation proporciona auto-instrumentaci\u00f3n de OpenTelemetry y bibliotecas de instrumentaci\u00f3n para Java. En versiones anteriores a la 2.26.1, la instrumentaci\u00f3n RMI registr\u00f3 un punto final personalizado que deserializaba los datos entrantes sin aplicar filtros de serializaci\u00f3n. En la versi\u00f3n 16 de JDK y anteriores, un atacante con acceso de red a un puerto JMX o RMI en una JVM instrumentada podr\u00eda explotar esto para lograr potencialmente la ejecuci\u00f3n remota de c\u00f3digo. Las tres condiciones siguientes deben cumplirse para explotar esta vulnerabilidad: Primero, la instrumentaci\u00f3n de OpenTelemetry Java est\u00e1 adjunta como un agente Java ('-javaagent') en Java 16 o anterior. Segundo, el puerto JMX/RMI ha sido configurado expl\u00edcitamente a trav\u00e9s de '-Dcom.sun.management.jmxremote.port' y es accesible por red. Tercero, una biblioteca compatible con cadenas de gadgets est\u00e1 presente en el classpath. Esto resulta en ejecuci\u00f3n remota de c\u00f3digo arbitraria con los privilegios del usuario que ejecuta la JVM instrumentada. Para JDK &gt;= 17, no se requiere ninguna acci\u00f3n, pero se recomienda encarecidamente la actualizaci\u00f3n. Para JDK &lt; 17, actualice a la versi\u00f3n 2.26.1 o posterior. Como soluci\u00f3n alternativa, establezca la propiedad del sistema '-Dotel.instrumentation.rmi.enabled=false' para deshabilitar la integraci\u00f3n RMI."}], "id": "CVE-2026-33701", "lastModified": "2026-04-01T16:00:06.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:19.313", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "io.opentelemetry.javaagent/opentelemetry-javaagent: OpenTelemetry Java Instrumentation: Remote code execution via deserialization vulnerability in RMI", "id": "2452071", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452071"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.", "A flaw was found in OpenTelemetry Java Instrumentation. This vulnerability allows a remote attacker with network access to a Java Management Extensions (JMX) or Remote Method Invocation (RMI) port on an instrumented Java Virtual Machine (JVM) running Java Development Kit (JDK) version 16 or earlier to achieve arbitrary remote code execution. This is possible because the RMI instrumentation registers a custom endpoint that deserializes incoming data without proper serialization filters, provided a compatible gadget-chain library is present on the classpath. Successful exploitation grants the attacker the same privileges as the user running the affected JVM."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33701", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "opentelemetry-javaagent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "opentelemetry-javaagent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-03-27T00:01:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33701\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33701\nhttps://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197\nhttps://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1\nhttps://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.26.1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "opentelemetry-java-instrumentation", "source": "cna", "vendor": "open-telemetry"}, "product": "opentelemetry-java-instrumentation", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-02T05:17:08.892826+00:00", "value": {"mitigation_remediation": ["Upgrade OpenTelemetry Java instrumentation to version 2.26.1 or later", "If an upgrade is not immediately possible, disable the RMI integration by setting the system property -Dotel.instrumentation.rmi.enabled=false", "Ensure the JVM runs on JDK\u202f17 or newer, or otherwise restrict network access to the JMX/RMI port to trusted hosts", "Verify that no gadget\u2011chain\u2011compatible libraries are present on the classpath"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Products affected are the OpenTelemetry Java instrumentation libraries, versions prior to 2.26.1, when they are attached as a Java agent via the -javaagent option to a JVM running on Java 16 or earlier. The JVM must have a JMX or RMI port explicitly configured and exposed to the network, and a gadget\u2011chain\u2011compatible library must be present on the classpath. JDK versions 17 or newer are not impacted, and upgrading the instrumentation library to 2.26.1 or later removes this risk.", "description_and_impact": "OpenTelemetry Java instrumentation registers a custom RMI endpoint that deserializes incoming data without any serialization filtering. This flaw allows an attacker to send specially crafted serialized objects that, when processed by the instrumented JVM, can trigger arbitrary code execution with the privileges of the JVM process. The weakness is identified as an unsafe deserialization defect, CWE\u2011502. When the vulnerability is exploited, it can compromise the confidentiality, integrity, and availability of the affected system by allowing an attacker to execute arbitrary code on the host.", "risk_and_exploitability": "The CVSS score of 9.3 indicates critical severity, yet the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting that real\u2011world exploitation is currently low. Exploitation requires three conditions at once: the JVM must be instrumented by OpenTelemetry Java instrumentation under -javaagent, a network\u2011reachable JMX/RMI port must be configured, and the classpath must contain a compatible gadget library. The likely attack vector is a remote attacker targeting the exposed port to deliver malicious serialized payloads; this inference is based on the description that the vulnerability can be triggered by external input over the network."}}}}, "created": "2026-03-27T08:31:17.427857+00:00", "updated": "2026-04-02T07:55:56.864645+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-java-instrumentation"]}