CVE-2026-33728
published 2026-03-27CVE-2026-33728: dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.62%
45.3th percentile
dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| datadog | dd-trace-java | — | — |
| datadog | dd-trace-java | >= 0.40.0 < 1.60.3 | 1.60.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect JVM processes launched with the dd-trace-java agent attached on Java 16 or earlier, combined with an exposed JMX/RMI port — the prerequisite attack surface for this CVE. ↗
- →Alert on inbound unauthenticated deserialization traffic to JMX/RMI ports on hosts running dd-trace-java versions 0.40.0 through prior to 1.60.2. ↗
- →Check for the absence of the workaround environment variable `DD_INTEGRATION_RMI_ENABLED=false` on vulnerable hosts as an indicator of unmitigated exposure. ↗
- ·Exploitation requires ALL THREE conditions simultaneously: dd-trace-java as a javaagent on JDK ≤ 16, a network-reachable JMX/RMI port, AND a gadget-chain-compatible library on the classpath. Missing any one condition prevents exploitation. ↗
- ·JDK >= 17 is not exploitable; no action required for those environments, though upgrading dd-trace-java is still encouraged. ↗
- ·For JDK < 8u121, serialization filters are not available, so upgrading dd-trace-java alone is insufficient — the RMI integration must be disabled via the environment variable workaround. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
DataDog dd-trace-java up to 1.60.2 Environment Variable DD_INTEGRATION_RMI_ENABLED deserialization (GHSA-579q-h82j-r5v2)
vuldb·2026-06-04·CVSS 9.3
CVE-2026-33728 [CRITICAL] DataDog dd-trace-java up to 1.60.2 Environment Variable DD_INTEGRATION_RMI_ENABLED deserialization (GHSA-579q-h82j-r5v2)
A vulnerability classified as critical has been found in DataDog dd-trace-java up to 1.60.2. Affected by this vulnerability is an unknown functionality of the component Environment Variable Handler. Performing a manipulation of the argument DD_INTEGRATION_RMI_ENABLED results in deserialization.
This vulnerability was named CVE-2026-33728. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
ghsa·2026-03-26
CVE-2026-33728 [CRITICAL] CWE-502 dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier
2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable
3. A gadget-chain-compatible library is present on the classpath
### Impact
Arbi
OSV
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
osv·2026-03-26
CVE-2026-33728 [CRITICAL] dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier
2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable
3. A gadget-chain-compatible library is present on the classpath
### Impact
Arbi
No detection rules found.
No public exploits indexed.
2026-03-27
Published