CVE-2026-33701
Published: 27 March 2026
Description
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with…
more
network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly mitigating this CVE by requiring upgrades to OpenTelemetry Java Instrumentation version 2.26.1 or later.
CM-6 enforces secure configuration settings, such as setting -Dotel.instrumentation.rmi.enabled=false or restricting JMX/RMI port exposure to prevent network access.
SC-7 implements boundary protection to monitor and control communications at external interfaces, blocking unauthorized network access to vulnerable JMX/RMI ports.
Security SummaryAI
CVE-2026-33701 affects OpenTelemetry Java Instrumentation libraries in versions prior to 2.26.1, which provide auto-instrumentation for Java applications. The vulnerability stems from the RMI instrumentation registering a custom endpoint that deserializes incoming data without applying serialization filters, enabling potential remote code execution (RCE) on JDK versions 16 and earlier. This issue is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 9.8 (Critical), reflecting its high impact due to network-based exploitation without authentication.
Exploitation requires three conditions: OpenTelemetry Java Instrumentation attached as a Java agent (-javaagent) on JDK 16 or earlier; a JMX/RMI port explicitly configured via -Dcom.sun.management.jmxremote.port and network-reachable; and a gadget-chain-compatible library present on the classpath. An attacker with network access to the exposed JMX or RMI port can send malicious serialized data, achieving arbitrary RCE with the privileges of the user running the instrumented JVM.
Advisories recommend upgrading to version 2.26.1 or later for JDK versions below 17, while no immediate action is required for JDK 17 and above, though upgrading is encouraged. As a workaround, disable the RMI integration by setting the system property -Dotel.instrumentation.rmi.enabled=false. Details are available in the OpenTelemetry GitHub security advisory (GHSA-xw7x-h9fj-p2c7), the v2.26.1 release notes, and the fixing commit (9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated RCE via malicious deserialization over an exposed network-reachable JMX/RMI port, directly mapping to T1190 (Exploit Public-Facing Application).