CVE-2026-33701: CWE-502: Deserialization of Untrusted Data in open-telemetry opentelemetry-java-instrumentation
CVE-2026-33701 is a critical deserialization vulnerability in OpenTelemetry Java Instrumentation versions prior to 2. 26. 1. It affects Java 16 and earlier when the RMI instrumentation is enabled and a network-reachable JMX/RMI port is configured. An attacker with network access to this port could exploit the vulnerability to achieve remote code execution with the privileges of the JVM process. The vulnerability requires a gadget-chain-compatible library on the classpath to be exploitable. For Java 17 and later, no action is required, but upgrading is recommended. For affected versions and Java versions below 17, upgrading to 2. 26. 1 or later or disabling RMI integration via a system property mitigates the risk.
AI Analysis
Technical Summary
OpenTelemetry Java Instrumentation prior to version 2.26.1 registers a custom RMI endpoint that deserializes incoming data without applying serialization filters, leading to a CWE-502 deserialization of untrusted data vulnerability. This can be exploited on Java 16 and earlier if the JVM is instrumented with OpenTelemetry as a Java agent, a JMX/RMI port is explicitly configured and network-accessible, and a gadget-chain-compatible library is present on the classpath. Successful exploitation results in arbitrary remote code execution with the privileges of the JVM process. The vulnerability does not affect Java 17 and later. Mitigation includes upgrading to version 2.26.1 or later or disabling the RMI instrumentation via the system property `-Dotel.instrumentation.rmi.enabled=false`.
Potential Impact
An attacker with network access to a configured JMX/RMI port on an instrumented JVM running Java 16 or earlier can achieve remote code execution with the privileges of the JVM process. This can lead to full compromise of the affected system. The vulnerability requires specific conditions to be met, including the presence of a gadget-chain-compatible library on the classpath. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available by upgrading OpenTelemetry Java Instrumentation to version 2.26.1 or later. For environments running Java 17 or later, no action is required, though upgrading is recommended. As a temporary workaround for affected versions on Java 16 or earlier, disable the RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`. This disables the vulnerable RMI endpoint and mitigates the risk.
CVE-2026-33701: CWE-502: Deserialization of Untrusted Data in open-telemetry opentelemetry-java-instrumentation
Description
CVE-2026-33701 is a critical deserialization vulnerability in OpenTelemetry Java Instrumentation versions prior to 2. 26. 1. It affects Java 16 and earlier when the RMI instrumentation is enabled and a network-reachable JMX/RMI port is configured. An attacker with network access to this port could exploit the vulnerability to achieve remote code execution with the privileges of the JVM process. The vulnerability requires a gadget-chain-compatible library on the classpath to be exploitable. For Java 17 and later, no action is required, but upgrading is recommended. For affected versions and Java versions below 17, upgrading to 2. 26. 1 or later or disabling RMI integration via a system property mitigates the risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenTelemetry Java Instrumentation prior to version 2.26.1 registers a custom RMI endpoint that deserializes incoming data without applying serialization filters, leading to a CWE-502 deserialization of untrusted data vulnerability. This can be exploited on Java 16 and earlier if the JVM is instrumented with OpenTelemetry as a Java agent, a JMX/RMI port is explicitly configured and network-accessible, and a gadget-chain-compatible library is present on the classpath. Successful exploitation results in arbitrary remote code execution with the privileges of the JVM process. The vulnerability does not affect Java 17 and later. Mitigation includes upgrading to version 2.26.1 or later or disabling the RMI instrumentation via the system property `-Dotel.instrumentation.rmi.enabled=false`.
Potential Impact
An attacker with network access to a configured JMX/RMI port on an instrumented JVM running Java 16 or earlier can achieve remote code execution with the privileges of the JVM process. This can lead to full compromise of the affected system. The vulnerability requires specific conditions to be met, including the presence of a gadget-chain-compatible library on the classpath. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available by upgrading OpenTelemetry Java Instrumentation to version 2.26.1 or later. For environments running Java 17 or later, no action is required, though upgrading is recommended. As a temporary workaround for affected versions on Java 16 or earlier, disable the RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`. This disables the vulnerable RMI endpoint and mitigates the risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T17:06:05.746Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c5d2fe3c064ed76ff40486
Added to database: 3/27/2026, 12:44:46 AM
Last enriched: 4/3/2026, 1:42:42 PM
Last updated: 5/11/2026, 5:13:22 AM
Views: 304
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.