Description
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.
Published: 2026-03-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenTelemetry Java Instrumentation allows auto‑instrumentation for Java applications. In versions before 2.26.1 the RMI instrumentation registers a custom endpoint that deserializes incoming data without applying serialization filters. This unsandboxed deserialization can be triggered by a remote attacker with access to a JMX or RMI port, leading to arbitrary code execution. The vulnerability is a classic unsafe deserialization flaw (CWE‑502) that permits an attacker to run arbitrary code with the privileges of the JVM process.

Affected Systems

Systems running OpenTelemetry Java Instrumentation on Java 16 or earlier and configured with a network‑exposed JMX/RMI port are affected. The issue applies to any deployment that attaches the Java agent (`-javaagent`) of OpenTelemetry and does not disable RMI integration. The relevant product is the OpenTelemetry Java Instrumentation library; versions older than 2.26.1 are vulnerable. Users of JDK 17 or newer are not impacted and no remediation is required, but upgrading remains recommended.

Risk and Exploitability

The CVSS score of 9.3 classifies the flaw as critical. Because the exploit requires three conditions – the vulnerable agent, a reachable JMX/RMI port, and a gadget‑chain library on the classpath – the threat is high but not trivially exploitable by all attackers. Attackers need to be able to connect to the RMI port over the network, which is often behind firewalls; nevertheless, any exposed port could be abused. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. Given the severity and the possibility of remote code execution, immediate action is strongly advised.

Generated by OpenCVE AI on March 27, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check whether the Java process uses the OpenTelemetry Java Instrumentation agent and whether it runs on Java 16 or earlier.
  • If the application exposes a JMX or RMI port that is reachable from the network, upgrade the instrumentation library to version 2.26.1 or newer.
  • If an upgrade is not possible, disable RMI integration by adding the JVM startup option `-Dotel.instrumentation.rmi.enabled=false`.
  • Verify that the JMX/RMI port is secured or disabled if it is not required.
  • Regularly update the OpenTelemetry library to the latest release to receive future security patches.

Generated by OpenCVE AI on March 27, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xw7x-h9fj-p2c7 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-java-instrumentation
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-java-instrumentation

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.
Title OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opentelemetry Opentelemetry-java-instrumentation
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:52:22.536Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33701

cve-icon Vulnrichment

Updated: 2026-03-27T13:26:05.882Z

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:19.313

Modified: 2026-03-27T01:16:19.313

Link: CVE-2026-33701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:39Z

Weaknesses