Platform
java
Component
io.opentelemetry.javaagent:opentelemetry-javaagent
Fixed in
2.26.2
2.26.1
CVE-2026-33701 is a critical remote code execution (RCE) vulnerability. It exists because the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters, potentially allowing an attacker with network access to a JMX or RMI port to execute arbitrary code. This affects io.opentelemetry.javaagent:opentelemetry-javaagent versions 2.9.0 and earlier. The vulnerability is fixed in version 2.26.1.
CVE-2026-33701 in the OpenTelemetry Java instrumentation affects versions prior to 2.26.1. Specifically, the RMI instrumentation registers a custom endpoint that deserializes incoming data without applying serialization filters. This allows an attacker with network access to a JMX or RMI port on an instrumented JVM to potentially achieve remote code execution. The CVSS score for this vulnerability is 9.5, indicating a critical risk. Successful exploitation requires that the OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent) and an RMI endpoint is network-reachable.
An attacker could exploit this vulnerability by sending malicious serialized data over an exposed RMI endpoint. If the vulnerable OpenTelemetry Java instrumentation is in use, the custom endpoint could deserialize this data without proper validation, leading to arbitrary code execution. The success of exploitation depends on network configuration and the attacker's ability to access the RMI port. OpenTelemetry Java instrumentation is commonly used for telemetry and tracing, making systems that rely on it potentially vulnerable.
Exploit Status
EPSS
0.40% (61% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33701 is to upgrade the OpenTelemetry Java instrumentation to version 2.26.1 or later. This version includes a fix that implements serialization filters to prevent insecure deserialization. Additionally, restrict access to JMX and RMI ports to authorized sources only. Consider implementing network security policies that limit the exposure of these ports to the external network. Monitoring application logs for suspicious activity related to deserialization can also help detect and respond to potential attacks.
Update the OpenTelemetry Java Instrumentation library to version 2.26.1 or later. Alternatively, you can disable the RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`.
Vulnerability analysis and critical alerts directly to your inbox.
Deserialization is the process of converting serialized data (like an object) into a usable format for an application. If deserialization is not performed securely, it can allow attackers to execute arbitrary code.
Check the version of OpenTelemetry Java instrumentation you are using. If it is prior to 2.26.1, you are potentially affected. Also, confirm if you have an RMI endpoint exposed to the network.
JMX (Java Management Extensions) is a specification for managing and monitoring Java applications. It is often exposed over a network port.
There are vulnerability scanning tools that can detect the vulnerable OpenTelemetry Java instrumentation. Manual code and configuration review can also help identify potential issues.
Isolate the affected system, collect forensic evidence, and notify your security team. Upgrade the OpenTelemetry Java instrumentation to the latest version as soon as possible.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.