Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-33728 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
-javaagent) on Java 16 or earlier-Dcom.sun.management.jmxremote.port and is network-reachableArbitrary remote code execution with the privileges of the user running the instrumented JVM.
Set the following environment variable to disable the RMI integration: DD_INTEGRATION_RMI_ENABLED=false
This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.