Description
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.
Published: 2026-03-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenTelemetry Java instrumentation registers a custom RMI endpoint that deserializes incoming data without any serialization filtering. This flaw allows an attacker to send specially crafted serialized objects that, when processed by the instrumented JVM, can trigger arbitrary code execution with the privileges of the JVM process. The weakness is identified as an unsafe deserialization defect, CWE‑502. When the vulnerability is exploited, it can compromise the confidentiality, integrity, and availability of the affected system by allowing an attacker to execute arbitrary code on the host.

Affected Systems

Products affected are the OpenTelemetry Java instrumentation libraries, versions prior to 2.26.1, when they are attached as a Java agent via the -javaagent option to a JVM running on Java 16 or earlier. The JVM must have a JMX or RMI port explicitly configured and exposed to the network, and a gadget‑chain‑compatible library must be present on the classpath. JDK versions 17 or newer are not impacted, and upgrading the instrumentation library to 2.26.1 or later removes this risk.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, yet the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting that real‑world exploitation is currently low. Exploitation requires three conditions at once: the JVM must be instrumented by OpenTelemetry Java instrumentation under -javaagent, a network‑reachable JMX/RMI port must be configured, and the classpath must contain a compatible gadget library. The likely attack vector is a remote attacker targeting the exposed port to deliver malicious serialized payloads; this inference is based on the description that the vulnerability can be triggered by external input over the network.

Generated by OpenCVE AI on April 2, 2026 at 05:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenTelemetry Java instrumentation to version 2.26.1 or later
  • If an upgrade is not immediately possible, disable the RMI integration by setting the system property -Dotel.instrumentation.rmi.enabled=false
  • Ensure the JVM runs on JDK 17 or newer, or otherwise restrict network access to the JMX/RMI port to trusted hosts
  • Verify that no gadget‑chain‑compatible libraries are present on the classpath

Generated by OpenCVE AI on April 2, 2026 at 05:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xw7x-h9fj-p2c7 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation opentelemetry Instrumentation For Java
CPEs cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation opentelemetry Instrumentation For Java
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-java-instrumentation
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-java-instrumentation

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.
Title OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Linuxfoundation Opentelemetry Instrumentation For Java
Opentelemetry Opentelemetry-java-instrumentation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:52:22.536Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33701

cve-icon Vulnrichment

Updated: 2026-03-27T13:26:05.882Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T01:16:19.313

Modified: 2026-04-01T16:00:06.900

Link: CVE-2026-33701

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T00:01:12Z

Links: CVE-2026-33701 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:56Z

Weaknesses