cbcvebase.
CVE-2026-33701
published 2026-03-27

CVE-2026-33701: OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.93%
56.3th percentile
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

Affected

2 ranges
VendorProductVersion rangeFixed in
linuxfoundationopentelemetry_instrumentation_for_java< 2.26.12.26.1
open-telemetryopentelemetry-java-instrumentation< 2.26.12.26.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect JVM processes launched with the OpenTelemetry Java agent AND an exposed JMX/RMI port on JDK ≤ 16 — the combination is the exploitable attack surface
  • Alert on JVM command-line arguments containing both `-javaagent` (referencing opentelemetry-javaagent) and `-Dcom.sun.management.jmxremote.port` on hosts running JDK 16 or earlier
  • Monitor for unexpected inbound network connections to the configured JMX/RMI port on instrumented JVMs; unauthenticated deserialization payloads arriving on this port are the exploitation vector
  • Verify the system property `-Dotel.instrumentation.rmi.enabled=false` is set as a workaround; absence of this flag on vulnerable JDK versions indicates unmitigated exposure
  • Scan classpaths of instrumented JVMs for known Java deserialization gadget-chain libraries (e.g., commons-collections, spring-core); their presence is the third required condition for exploitation
  • Flag use of affected Maven artifacts `io.opentelemetry.javaagent:opentelemetry-javaagent` or `com.splunk:splunk-otel-javaagent` in versions prior to 2.26.1 in SCA/dependency scanning
  • ·Exploitation requires ALL THREE conditions simultaneously: (1) otel javaagent attached on JDK ≤ 16, (2) JMX/RMI port explicitly configured and network-reachable, (3) gadget-chain library on classpath. Missing any one condition prevents exploitation.
  • ·JDK 17 and later are NOT vulnerable due to built-in serialization filter improvements; no action required for JDK ≥ 17 beyond upgrading the agent.
  • ·Red Hat JBoss EAP 8 and EAP Expansion Pack ship opentelemetry-javaagent but are assessed as NOT affected.
  • ·Successful exploitation grants the attacker the same OS-level privileges as the user running the JVM process, not necessarily root.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.