Platform
java
Component
com.datadoghq:dd-java-agent
Fixed in
0.40.1
1.60.3
CVE-2026-33728 is a Remote Code Execution (RCE) vulnerability affecting versions of the Datadog Java Agent up to 1.9.0. This flaw arises from insecure deserialization within the RMI instrumentation, allowing attackers to potentially execute arbitrary code on instrumented Java Virtual Machines (JVMs). The vulnerability is mitigated by upgrading to version 1.60.3 or later, and requires specific conditions to be met for exploitation.
An attacker exploiting CVE-2026-33728 could gain complete control over the affected JVM. This includes the ability to execute arbitrary commands, access sensitive data stored within the JVM's memory space, and potentially escalate privileges. The impact is particularly severe because the vulnerability can be triggered remotely via JMX or RMI ports, making it accessible to attackers on the network. Successful exploitation could lead to data breaches, system compromise, and disruption of services. This vulnerability shares similarities with other deserialization-based RCE vulnerabilities, highlighting the importance of robust input validation and serialization filtering.
CVE-2026-33728 was publicly disclosed on 2026-03-26. The vulnerability is considered highly exploitable due to the availability of network access and the relatively straightforward exploitation path. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the vulnerability's nature suggests that a PoC is likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog, but its CRITICAL severity warrants close monitoring.
Exploit Status
EPSS
0.75% (73% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33728 is to upgrade the Datadog Java Agent to version 1.60.3 or later. If immediate upgrading is not feasible, consider temporarily disabling JMX/RMI access by removing the -Dcom.sun.management.jmxremote.port argument from the JVM startup command. Network segmentation can also limit the attack surface by restricting access to JMX/RMI ports. Implement strict firewall rules to allow only authorized connections to these ports. Review and harden JVM configurations to minimize the potential impact of a successful exploit. After upgrading, verify the fix by attempting to trigger the vulnerable endpoint and confirming that deserialization is properly filtered.
Update the dd-trace-java library to version 1.60.3 or later. If you cannot update, set the environment variable `DD_INTEGRATION_RMI_ENABLED=false` to disable the RMI integration. This workaround is only applicable if you cannot update the library.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33728 is a critical Remote Code Execution vulnerability in Datadog Java Agent versions up to 1.9.0, allowing attackers to execute code on instrumented JVMs via insecure deserialization.
You are affected if you are using Datadog Java Agent versions 1.9.0 or earlier and are running on Java 16 or earlier with JMX/RMI ports exposed.
Upgrade to Datadog Java Agent version 1.60.3 or later. As a temporary workaround, disable JMX/RMI access by removing the -Dcom.sun.management.jmxremote.port argument.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest active exploitation is possible.
Refer to the official Datadog security advisory for CVE-2026-33728 on the Datadog website (link to advisory would be here if available).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.