CVE-2026-33701: OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
- OpenTelemetry Java instrumentation is attached as a Java agent (
-javaagent) - An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)
- A gadget-chain-compatible library is present on the classpath
References
- github.com/advisories/GHSA-xw7x-h9fj-p2c7
- github.com/open-telemetry/opentelemetry-java-instrumentation
- github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197
- github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1
- github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7
- nvd.nist.gov/vuln/detail/CVE-2026-33701
Code Behaviors & Features
Detect and mitigate CVE-2026-33701 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →