Vulnerability Details CVE-2026-33701
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 66.0%
CVSS Severity
CVSS v3 Score 9.8
References
- https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197
- https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1
- https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7
Products affected by CVE-2026-33701
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.1.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.10.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.10.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.11.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.12.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.12.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.13.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.13.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.14.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.15.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.15.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.16.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.16.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.17.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.2.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.2.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.2.2
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.3.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.4.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.6.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.6.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.7.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.8.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:0.9.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.0.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.0.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.1.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.10.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.10.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.11.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.11.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.12.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.12.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.13.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.13.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.14.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.15.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.16.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.17.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.18.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.19.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.19.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.19.2
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.2.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.20.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.20.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.20.2
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.21.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.22.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.22.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.23.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.24.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.25.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.25.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.26.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.27.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.28.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.3.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.3.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.4.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.4.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.5.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.5.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.5.2
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.5.3
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.6.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.6.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.6.2
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.7.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.7.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.7.2
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.8.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.9.0
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.9.1
-
cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:1.9.2