CVE-2026-33701 is a deserialization vulnerability classified under CWE-502 affecting open-telemetry's Java instrumentation library versions before 2.26.1. The vulnerability stems from the RMI instrumentation component registering a custom endpoint that deserializes incoming data without applying serialization filters, allowing untrusted data to be processed. This flaw exists on Java Development Kit (JDK) versions 16 and earlier. An attacker with network access to a configured JMX or RMI port on a JVM running the vulnerable instrumentation can exploit this to achieve remote code execution (RCE). Exploitation requires three conditions: (1) the OpenTelemetry Java instrumentation is attached as a Java agent via the -javaagent option, (2) the JMX/RMI port is explicitly configured and network-reachable using the -Dcom.sun.management.jmxremote.port system property, and (3) a gadget-chain-compatible library is present on the JVM classpath to facilitate deserialization attacks. The vulnerability allows arbitrary code execution with the privileges of the JVM process owner, without requiring authentication or user interaction. For JDK 17 and above, this vulnerability does not apply, but upgrading the instrumentation library is still advised. The recommended mitigation for affected environments running JDK 16 or earlier is to upgrade to open-telemetry-java-instrumentation version 2.26.1 or later. Alternatively, disabling the RMI integration by setting the system property -Dotel.instrumentation.rmi.enabled=false can serve as a temporary workaround. No known exploits have been reported in the wild as of the publication date. The CVSS v4.0 score is 9.3 (critical), reflecting the high impact and ease of exploitation.

This vulnerability enables unauthenticated remote attackers with network access to a JVM's JMX/RMI port to execute arbitrary code with the same privileges as the JVM process. This can lead to full system compromise, data theft, service disruption, or lateral movement within an organization's network. Since OpenTelemetry is widely used for monitoring and telemetry in Java applications, especially in cloud-native and enterprise environments, vulnerable systems exposing JMX/RMI ports are at significant risk. The impact is amplified in environments where JVMs run with elevated privileges or handle sensitive data. Exploitation requires no user interaction or authentication, increasing the threat level. Organizations relying on Java 16 or earlier and using OpenTelemetry instrumentation with exposed JMX/RMI ports must consider this vulnerability critical to their security posture.

1. Upgrade open-telemetry-java-instrumentation to version 2.26.1 or later immediately on all affected systems running JDK 16 or earlier. 2. If immediate upgrade is not feasible, disable the RMI instrumentation by setting the JVM system property -Dotel.instrumentation.rmi.enabled=false to prevent the vulnerable deserialization endpoint from being active. 3. Restrict network access to JMX/RMI ports using firewall rules or network segmentation to limit exposure only to trusted management hosts. 4. Avoid running JVM processes with unnecessary elevated privileges to reduce the impact of potential exploitation. 5. Remove any unnecessary gadget-chain-compatible libraries from the classpath to reduce the risk of deserialization gadget exploitation. 6. Monitor network traffic and logs for unusual activity targeting JMX/RMI ports. 7. For environments running JDK 17 or later, ensure OpenTelemetry instrumentation is kept up to date as a best practice. 8. Conduct security reviews of telemetry and monitoring configurations to ensure minimal exposure of management interfaces.