Cyber Posture

CVE-2026-33701

CriticalRCE

Published: 27 March 2026

Published
27 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33701 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Linuxfoundation Opentelemetry Instrumentation For Java. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation, directly mitigating this CVE by requiring upgrades to OpenTelemetry Java Instrumentation version 2.26.1 or later.

CM-6 Configuration Settings good match
prevent

CM-6 enforces secure configuration settings, such as setting -Dotel.instrumentation.rmi.enabled=false or restricting JMX/RMI port exposure to prevent network access.

SC-7 Boundary Protection good match
prevent

SC-7 implements boundary protection to monitor and control communications at external interfaces, blocking unauthorized network access to vulnerable JMX/RMI ports.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated RCE via malicious deserialization over an exposed network-reachable JMX/RMI port, directly mapping to T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with…

more

network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

Deeper analysisAI

CVE-2026-33701 affects OpenTelemetry Java Instrumentation libraries in versions prior to 2.26.1, which provide auto-instrumentation for Java applications. The vulnerability stems from the RMI instrumentation registering a custom endpoint that deserializes incoming data without applying serialization filters, enabling potential remote code execution (RCE) on JDK versions 16 and earlier. This issue is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 9.8 (Critical), reflecting its high impact due to network-based exploitation without authentication.

Exploitation requires three conditions: OpenTelemetry Java Instrumentation attached as a Java agent (-javaagent) on JDK 16 or earlier; a JMX/RMI port explicitly configured via -Dcom.sun.management.jmxremote.port and network-reachable; and a gadget-chain-compatible library present on the classpath. An attacker with network access to the exposed JMX or RMI port can send malicious serialized data, achieving arbitrary RCE with the privileges of the user running the instrumented JVM.

Advisories recommend upgrading to version 2.26.1 or later for JDK versions below 17, while no immediate action is required for JDK 17 and above, though upgrading is encouraged. As a workaround, disable the RMI integration by setting the system property -Dotel.instrumentation.rmi.enabled=false. Details are available in the OpenTelemetry GitHub security advisory (GHSA-xw7x-h9fj-p2c7), the v2.26.1 release notes, and the fixing commit (9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197).

Details

CWE(s)
CWE-502

Affected Products

linuxfoundation
opentelemetry instrumentation for java
≤ 2.26.1

CVEs Like This One

CVE-2026-35171Same vendor: Linuxfoundation
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-24124Same vendor: Linuxfoundation
CVE-2024-24421Same vendor: Linuxfoundation
CVE-2025-54366Shared CWE-502
CVE-2025-7916Shared CWE-502
CVE-2025-0994Shared CWE-502
CVE-2024-56180Shared CWE-502
CVE-2025-9121Shared CWE-502
CVE-2026-24378Shared CWE-502

References