GHSA-xw7x-h9fj-p2c7

Source

https://github.com/advisories/GHSA-xw7x-h9fj-p2c7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xw7x-h9fj-p2c7/GHSA-xw7x-h9fj-p2c7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xw7x-h9fj-p2c7

Aliases

CVE-2026-33701

Published

2026-03-25T21:27:43Z

Modified

2026-03-27T21:51:16.245041Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

Details

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent) 2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service) 3. A gadget-chain-compatible library is present on the classpath

Impact

Arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Recommendation

Upgrade to version 2.26.1 or later.

Workarounds

Set the following system property to disable the RMI integration:

-Dotel.instrumentation.rmi.enabled=false

Credits

This vulnerability was responsibly disclosed in coordination with Datadog.

Database specific

{
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-03-25T21:27:43Z",
    "nvd_published_at": "2026-03-27T01:16:19Z"
}

References

Affected packages

Maven / io.opentelemetry.javaagent:opentelemetry-javaagent

Package

Name: io.opentelemetry.javaagent:opentelemetry-javaagent; View open source insights on deps.dev
Purl: pkg:maven/io.opentelemetry.javaagent/opentelemetry-javaagent

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.26.1

Affected versions

0.*

0.12.0

0.12.1

0.13.0

0.13.1

0.14.0

0.15.0

0.15.1

0.16.0

0.16.1

0.17.0

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0

1.6.1

1.6.2

1.7.0

1.7.1

1.7.2

1.8.0

1.9.0

1.9.1

1.9.2

1.10.0

1.10.1

1.11.0

1.11.1

1.12.0

1.12.1

1.13.0

1.13.1

1.14.0

1.15.0

1.16.0

1.17.0

1.18.0

1.19.0

1.19.1

1.19.2

1.20.0

1.20.1

1.20.2

1.21.0

1.22.0

1.22.1

1.23.0

1.24.0

1.25.0

1.25.1

1.26.0

1.27.0

1.28.0

1.29.0

1.30.0

1.31.0

1.32.0

1.32.1

1.33.0

1.33.1

1.33.2

1.33.3

1.33.4

1.33.5

1.33.6

2.*

2.0.0

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.10.0

2.11.0

2.12.0

2.13.0

2.13.1

2.13.2

2.13.3

2.14.0

2.15.0

2.16.0

2.17.0

2.17.1

2.18.0

2.18.1

2.19.0

2.20.0

2.20.1

2.21.0

2.22.0

2.23.0

2.24.0

2.25.0

2.26.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xw7x-h9fj-p2c7/GHSA-xw7x-h9fj-p2c7.json"