Description
dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`.
Published: 2026-03-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

dd-trace-java, a Datadog APM client for Java contains an RMI endpoint that deserializes incoming data without applying serialization filters. The flaw, classified as CWE‑502, allows an attacker who can reach the JMX or RMI port of a JVM instrumented with dd‑trace‑java (versions 00 through 1.60.2) to exploit an unsafe deserialization path and potentially execute arbitrary code on the guest operating system. the vulnerability requires three conditions: the Java agent must be attached, a JMX/RMI port must be configured and network‑reachable, and a gadget‑chain compatible library must exist on the classpath. When all three conditions are satisfied, the attacker can gain full control of the JVM process, yielding confidentiality, integrity, and availability compromise.

Affected Systems

The affected vendor is DataDog, with the product dd‑trace‑java. Versions from 0.40.0 through 1.60.2 are vulnerable. The issue applies only to Java 8u121 up to, but not including, JDK 17. Java 17 and later provide serialization filters that mitigate the flaw. For JDK versions older than 8u121, serialization filters are not available, making the vulnerability more severe. Users running dd‑trace‑java before 1.60.3 on Java 8u121 or higher, or on older JDKs with the agent attached, are at risk.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating a critical risk level. The EPSS score is not available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Attackers would need network access to a reachable JMX or RMI port, which is typically limited to internal networks. The vulnerability is remotely exploitable through the RMI interface, and requires the presence of gadget‑chain libraries in the JVM classpath. The realistic likelihood of exploitation depends on whether the environment exposes the JMX/RMI port externally and whether vulnerable libraries are present. Such conditions are common in production deployments of dd‑trace‑java without proper network hardening, making the overall risk high for impacted configurations.

Generated by OpenCVE AI on March 27, 2026 at 06:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dd‑trace‑java to version 1.60.3 or later on all affected JDK versions (8u121 or newer).
  • If upgrading is not possible, disable the vulnerable RMI integration by setting the environment variable DD_INTEGRATION_RMI_ENABLED=false.
  • Verify that JMX/RMI ports are not exposed to untrusted networks and remove any gadget‑chain libraries from the classpath.
  • Ensure the Java runtime is upgraded to JDK 17 or higher, which provides built‑in serialization filters that eliminate the unsafe deserialization path.

Generated by OpenCVE AI on March 27, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-579q-h82j-r5v2 dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Datadog
Datadog dd-trace-java
Vendors & Products Datadog
Datadog dd-trace-java

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`.
Title dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Datadog Dd-trace-java
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T00:25:56.444Z

Reserved: 2026-03-23T17:34:57.560Z

Link: CVE-2026-33728

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:20.203

Modified: 2026-03-27T01:16:20.203

Link: CVE-2026-33728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:33Z

Weaknesses