CVE-2026-33701

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33701

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33701.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33701

Aliases

GHSA-xw7x-h9fj-p2c7

Published

2026-03-27T00:01:12.327Z

Modified

2026-04-02T13:28:56.693487Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

Details

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property -Dotel.instrumentation.rmi.enabled=false to disable the RMI integration.

Database specific

{
    "cwe_ids": [
        "CWE-502"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33701.json"
}

References

Affected packages

Git / github.com/open-telemetry/opentelemetry-java-instrumentation

Affected ranges

Type

GIT

Repo

https://github.com/open-telemetry/opentelemetry-java-instrumentation

Events

Introduced

Fixed

9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.26.1"
        }
    ]
}

Affected versions

v0.*

v0.1.1

v0.10.0

v0.10.1

v0.11.0

v0.12.0

v0.12.1

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.15.1

v0.16.0

v0.16.1

v0.17.0

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.4.0

v0.6.0

v0.6.1

v0.7.0

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.10.0

v1.10.1

v1.11.0

v1.11.1

v1.12.0

v1.12.1

v1.13.0

v1.13.1

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.19.1

v1.19.2

v1.2.0

v1.20.0

v1.20.1

v1.20.2

v1.21.0

v1.22.0

v1.22.1

v1.23.0

v1.24.0

v1.25.0

v1.25.1

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.3.1

v1.30.0

v1.31.0

v1.32.0

v1.32.1

v1.33.0

v1.33.1

v1.33.2

v1.33.3

v1.33.4

v1.33.5

v1.33.6

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

v1.6.1

v1.6.2

v1.7.0

v1.7.1

v1.7.2

v1.8.0

v1.9.0

v1.9.1

v1.9.2

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.13.1

v2.13.2

v2.13.3

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.17.1

v2.18.0

v2.18.1

v2.19.0

v2.2.0

v2.20.0

v2.20.1

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.8.0

v2.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33701.json"

vanir_signatures

[
    {
        "target": {
            "file": "instrumentation/rmi/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/rmi/context/ContextPropagator.java"
        },
        "digest": {
            "line_hashes": [
                "145146964130739278061362787386149672567",
                "110143348512141934348981655546618302961",
                "304660518431869667895845858418993958526",
                "248190926684088238293627193349130086347"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197",
        "signature_version": "v1",
        "id": "CVE-2026-33701-531493bb"
    },
    {
        "target": {
            "function": "read",
            "file": "instrumentation/rmi/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/rmi/context/ContextPayload.java"
        },
        "digest": {
            "function_hash": "221444182698632161206033477786300125418",
            "length": 352.0
        },
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197",
        "signature_version": "v1",
        "id": "CVE-2026-33701-78505046"
    },
    {
        "target": {
            "function": "write",
            "file": "instrumentation/rmi/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/rmi/context/ContextPayload.java"
        },
        "digest": {
            "function_hash": "20913437022761566063265252032353579378",
            "length": 84.0
        },
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197",
        "signature_version": "v1",
        "id": "CVE-2026-33701-8368f2c4"
    },
    {
        "target": {
            "file": "instrumentation/rmi/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/rmi/context/ContextPayload.java"
        },
        "digest": {
            "line_hashes": [
                "126134203770309751702335519877522762835",
                "228626441916330252419959349013129730318",
                "1988768274064939067375600370942435272",
                "58571396959093387754190081535405630093",
                "46603494266925261424277769889619275519",
                "23286768289580129798914219032548910738",
                "151122031756710207333341886062482190118",
                "206300600285113959731479187357900309001",
                "9274895510806208087549852479874325967",
                "237090651252061275459834858927032902659",
                "64350905441455634590126612065787179136",
                "283256902345324993772464557523833344641",
                "69987207188414593975449818690367637681",
                "195902048044080116922127280929108158569",
                "264664570558670155162234521454778943070",
                "235826972355539603299769320459512193970",
                "89820375791517327547941121829476679856",
                "248975887933514061755453911128247129679",
                "266835320481486845305826885770403958480",
                "327854459917676628668212134075422366881",
                "335236992405859826359138809492078658698",
                "263175956302215908585929197545941730760",
                "100321630001120542948195545534518402359",
                "271462825181851780192466165276506038236",
                "206994538422235210259510286059246291976"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197",
        "signature_version": "v1",
        "id": "CVE-2026-33701-b95a85a2"
    }
]