PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33701 open-telemetry CVE debrief

CVE-2026-33701 is a critical vulnerability in OpenTelemetry Java Instrumentation prior to version 2.26.1. The RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters, potentially allowing remote code execution on JDK version 16 and earlier. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this vulnerability. Three conditions must be met to exploit this vulnerability: OpenTelemetry Java instrumentation is attached as a Java agent on Java 16 or earlier, the JMX/RMI port is explicitly configured and network-reachable, and a gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Vendor
open-telemetry
Product
opentelemetry-java-instrumentation
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-27
Original CVE updated
2026-06-30
Advisory published
2026-03-27
Advisory updated
2026-06-30

Who should care

Organizations using OpenTelemetry Java Instrumentation prior to version 2.26.1 on JDK version 16 or earlier should be concerned about this vulnerability. Specifically, those with exposed JMX or RMI ports and a gadget-chain-compatible library on the classpath are at risk of remote code execution.

Technical summary

The OpenTelemetry Java Instrumentation library, prior to version 2.26.1, contains a vulnerability in its RMI instrumentation. This vulnerability allows for remote code execution on JDK versions 16 and earlier due to the deserialization of incoming data without proper serialization filters. The exploitation of this vulnerability requires three conditions to be met: the OpenTelemetry Java instrumentation must be attached as a Java agent, the JMX/RMI port must be configured and reachable, and a compatible library must be present on the classpath. Successful exploitation leads to arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Defensive priority

High priority should be given to upgrading OpenTelemetry Java Instrumentation to version 2.26.1 or later, especially for environments running JDK version 16 or earlier. As a temporary measure, disabling the RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false` can mitigate the risk.

Recommended defensive actions

  • Upgrade OpenTelemetry Java Instrumentation to version 2.26.1 or later
  • Disable RMI integration by setting `-Dotel.instrumentation.rmi.enabled=false` if an immediate upgrade is not feasible
  • Ensure JMX/RMI ports are not exposed to untrusted networks
  • Verify that gadget-chain-compatible libraries are not present on the classpath unless necessary
  • Monitor for unusual activity on JMX/RMI ports

Evidence notes

The CVE-2026-33701 vulnerability was made public on March 27, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 9.3 and is considered critical. Multiple sources, including GitHub and Red Hat, have provided information and patches related to this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.