CVE-2026-33728

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33728
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33728.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33728
Aliases
Published
2026-03-27T00:25:56.444Z
Modified
2026-04-10T05:43:34.675348Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
Details

dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (-javaagent) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: DD_INTEGRATION_RMI_ENABLED=false.

Database specific 
{
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33728.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/datadog/dd-trace-java

Affected ranges

Type
GIT
Repo
https://github.com/datadog/dd-trace-java
Events
Introduced
b8210ceea5dd2ca5958ee3aca68aa1377f921f40
Fixed
14f1ebb84720eb4ad68f8995c23c2a4973d68a23
Database specific 
{
    "versions": [
        {
            "introduced": "0.40.0"
        },
        {
            "fixed": "1.60.3"
        }
    ]
}

Affected versions

test-ver-ignore-0.*
test-ver-ignore-0.1729.0
test-ver-ignore-0.1729.1
v0.*
v0.100.0
v0.101.0
v0.102.0
v0.103.0
v0.104.0
v0.105.0
v0.106.0
v0.107.0
v0.107.1
v0.108.0
v0.109.0
v0.110.0
v0.111.0
v0.112.0
v0.113.0
v0.114.0
v0.115.0
v0.40.0
v0.41.0
v0.42.0
v0.43.0
v0.45.0
v0.46.0
v0.47.0
v0.48.0
v0.49.0
v0.50.0
v0.51.0
v0.52.0
v0.53.0
v0.54.0
v0.55.0
v0.56.0
v0.57.0
v0.58.0
v0.59.0
v0.60.0
v0.61.0
v0.62.0
v0.63.0
v0.64.0
v0.65.0
v0.66.0
v0.67.0
v0.68.0
v0.69.0
v0.70.0
v0.71.0
v0.72.0
v0.73.0
v0.74.0
v0.75.0
v0.76.0
v0.77.0
v0.78.0
v0.79.0
v0.80.0
v0.81.0
v0.82.0
v0.83.0
v0.84.0
v0.85.0
v0.86.0
v0.87.0
v0.88.0
v0.89.0
v0.90.0
v0.91.0
v0.92.0
v0.93.0
v0.94.0
v0.95.0
v0.95.1
v0.96.0
v0.97.0
v0.98.0
v0.99.0
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.28.0
v1.28.0-RC2
v1.28.0-RC3
v1.29.0
v1.3.0
v1.30.0
v1.30.0-RC1
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.35.0-RC1
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.40.0
v1.41.0
v1.42.0
v1.43.0
v1.44.0
v1.45.0
v1.46.0
v1.47.0
v1.48.0
v1.49.0
v1.5.0
v1.50.0
v1.51.0
v1.52.0
v1.53.0
v1.54.0
v1.55.0
v1.56.0
v1.57.0
v1.58.0
v1.59.0
v1.6.0
v1.60.0
v1.60.1
v1.60.2
v1.7.0
v1.8.0
v1.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33728.json"