CVE-2026-33701 Overview
CVE-2026-33701 is a critical insecure deserialization vulnerability affecting OpenTelemetry Java Instrumentation versions prior to 2.26.1. The RMI instrumentation component registered a custom endpoint that deserialized incoming data without applying serialization filters, potentially allowing remote code execution on vulnerable systems running JDK 16 or earlier.
Critical Impact
An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this vulnerability to achieve arbitrary remote code execution with the privileges of the user running the instrumented JVM.
Affected Products
- OpenTelemetry Java Instrumentation versions prior to 2.26.1
- Systems running JDK 16 or earlier with the Java agent attached
- JVMs with explicitly configured JMX/RMI ports (-Dcom.sun.management.jmxremote.port)
Discovery Timeline
- 2026-03-27 - CVE-2026-33701 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33701
Vulnerability Analysis
This vulnerability stems from unsafe deserialization practices in the RMI instrumentation module of OpenTelemetry Java Instrumentation. When the Java agent is attached to a JVM with an exposed JMX/RMI port, the custom endpoint accepts and deserializes incoming data without implementing proper serialization filters.
The exploitation of this vulnerability requires three specific conditions to be met simultaneously: OpenTelemetry Java instrumentation must be attached as a Java agent (-javaagent) on Java 16 or earlier, the JMX/RMI port must be explicitly configured via -Dcom.sun.management.jmxremote.port and network-reachable, and a gadget-chain-compatible library must be present on the classpath.
When these conditions align, an attacker can craft malicious serialized objects that, when deserialized by the vulnerable endpoint, execute arbitrary code on the target system. The impact is particularly severe because successful exploitation grants the attacker code execution privileges equivalent to the user running the instrumented JVM.
Root Cause
The root cause is classified as CWE-502 (Deserialization of Untrusted Data). The RMI instrumentation component failed to implement serialization filters when processing incoming data through its custom endpoint. This oversight allowed arbitrary object deserialization, which can be exploited through well-known Java deserialization gadget chains when compatible libraries are present in the application's classpath.
Attack Vector
The attack is network-based and requires the attacker to have network access to an exposed JMX/RMI port on the target system. The attacker sends a specially crafted serialized payload containing a gadget chain to the vulnerable RMI endpoint. Upon deserialization, the malicious payload triggers code execution without requiring authentication or user interaction.
The vulnerability mechanism involves the RMI instrumentation accepting serialized Java objects over the network and deserializing them without validation. When a gadget-chain-compatible library (such as Apache Commons Collections or similar libraries commonly found in Java applications) is present on the classpath, the attacker can leverage known deserialization gadget chains to achieve arbitrary code execution.
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33701
Indicators of Compromise
- Unexpected network connections to JMX/RMI ports from external or unauthorized IP addresses
- Anomalous process spawning from JVM processes instrumented with OpenTelemetry
- Unusual serialized Java object traffic patterns on RMI ports
- Evidence of gadget chain exploitation in application logs or memory dumps
Detection Strategies
- Monitor network traffic to JMX/RMI ports for suspicious serialized object patterns
- Implement network segmentation to detect unauthorized access attempts to management ports
- Deploy Java agent monitoring to detect deserialization of unexpected object types
- Use endpoint detection to identify post-exploitation behaviors such as unauthorized process creation
Monitoring Recommendations
- Enable JMX authentication logging and monitor for failed or suspicious authentication attempts
- Implement network monitoring rules for traffic to ports configured via -Dcom.sun.management.jmxremote.port
- Configure alerts for new outbound connections initiated by instrumented Java processes
- Monitor for known Java deserialization exploitation tools and techniques
How to Mitigate CVE-2026-33701
Immediate Actions Required
- Upgrade OpenTelemetry Java Instrumentation to version 2.26.1 or later immediately
- For JDK 16 or earlier environments, prioritize patching as these versions are vulnerable
- Audit all JVM instances for exposed JMX/RMI ports and restrict network access
- Review application classpaths for known gadget-chain-compatible libraries
Patch Information
The vulnerability has been addressed in OpenTelemetry Java Instrumentation version 2.26.1. The fix implements proper serialization filters for the RMI instrumentation endpoint. Organizations should upgrade to version 2.26.1 or later to remediate this vulnerability.
For systems running JDK 17 or later, the built-in serialization protections provide defense-in-depth, though upgrading is still strongly recommended.
Patch details are available in the GitHub commit and the version 2.26.1 release.
Workarounds
- Disable RMI instrumentation by setting the system property -Dotel.instrumentation.rmi.enabled=false
- Restrict network access to JMX/RMI ports using firewall rules
- Upgrade to JDK 17 or later where built-in serialization protections mitigate the risk
- Remove or update gadget-chain-compatible libraries from the application classpath where possible
# Disable RMI instrumentation as a workaround
java -javaagent:opentelemetry-javaagent.jar \
-Dotel.instrumentation.rmi.enabled=false \
-jar your-application.jar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
