What is CVE-2026-33701?

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) 2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service) 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation Upgrade to version 2.26.1 or later. ### Workarounds Set the following system property to disable the RMI integration: ``` -Dotel.instrumentation.rmi.enabled=false ``` ### Credits This vulnerability was responsibly disclosed in coordination with Datadog.

What is the severity of CVE-2026-33701?

CVE-2026-33701 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Is there an exploit available for CVE-2026-33701?

No known public exploits are currently available for CVE-2026-33701.

Is there a patch available for CVE-2026-33701?

Yes, patches are available for CVE-2026-33701. Check the vendor advisories for update instructions.

CVE-2026-33701 - CVE Details, Severity, and Analysis

Published: June 18, 2026

Last updated:3 days ago (June 18, 2026)

Updated June 18, 2026

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:

OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent)
An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)
A gadget-chain-compatible library is present on the classpath

Impact

Arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Recommendation

Upgrade to version 2.26.1 or later.

Workarounds

Set the following system property to disable the RMI integration:

-Dotel.instrumentation.rmi.enabled=false

Credits

This vulnerability was responsibly disclosed in coordination with Datadog.

Strobes VI. (2026). CVE-2026-33701 - CVE Details and Analysis. Strobes VI. Retrieved June 21, 2026, from https://vi.strobes.co/cve/CVE-2026-33701

Vendor	Product
Linuxfoundation	Opentelemetry Instrumentation For Java

NVD: OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

Ready for Agentic Automated Testing?

CVE-2026-33701

Impact

Recommendation

Workarounds

Credits