PatchSiren cyber security CVE debrief
CVE-2026-33701 open-telemetry CVE debrief
CVE-2026-33701 is a critical vulnerability in OpenTelemetry Java Instrumentation prior to version 2.26.1. The RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters, potentially allowing remote code execution on JDK version 16 and earlier. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this vulnerability. Three conditions must be met to exploit this vulnerability: OpenTelemetry Java instrumentation is attached as a Java agent on Java 16 or earlier, the JMX/RMI port is explicitly configured and network-reachable, and a gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM.
- Vendor
- open-telemetry
- Product
- opentelemetry-java-instrumentation
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-27
- Advisory updated
- 2026-06-30
Who should care
Organizations using OpenTelemetry Java Instrumentation prior to version 2.26.1 on JDK version 16 or earlier should be concerned about this vulnerability. Specifically, those with exposed JMX or RMI ports and a gadget-chain-compatible library on the classpath are at risk of remote code execution.
Technical summary
The OpenTelemetry Java Instrumentation library, prior to version 2.26.1, contains a vulnerability in its RMI instrumentation. This vulnerability allows for remote code execution on JDK versions 16 and earlier due to the deserialization of incoming data without proper serialization filters. The exploitation of this vulnerability requires three conditions to be met: the OpenTelemetry Java instrumentation must be attached as a Java agent, the JMX/RMI port must be configured and reachable, and a compatible library must be present on the classpath. Successful exploitation leads to arbitrary remote code execution with the privileges of the user running the instrumented JVM.
Defensive priority
High priority should be given to upgrading OpenTelemetry Java Instrumentation to version 2.26.1 or later, especially for environments running JDK version 16 or earlier. As a temporary measure, disabling the RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false` can mitigate the risk.
Recommended defensive actions
- Upgrade OpenTelemetry Java Instrumentation to version 2.26.1 or later
- Disable RMI integration by setting `-Dotel.instrumentation.rmi.enabled=false` if an immediate upgrade is not feasible
- Ensure JMX/RMI ports are not exposed to untrusted networks
- Verify that gadget-chain-compatible libraries are not present on the classpath unless necessary
- Monitor for unusual activity on JMX/RMI ports
Evidence notes
The CVE-2026-33701 vulnerability was made public on March 27, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 9.3 and is considered critical. Multiple sources, including GitHub and Red Hat, have provided information and patches related to this vulnerability.
Official resources
-
CVE-2026-33701 CVE record
CVE.org
-
CVE-2026-33701 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.