Cyber Resilience

CVE-2026-33701

CriticalRCEUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0092 55.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33701 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Linuxfoundation Opentelemetry Instrumentation For Java. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-33701 affects OpenTelemetry Java Instrumentation libraries in versions prior to 2.26.1, which provide auto-instrumentation for Java applications. The vulnerability stems from the RMI instrumentation registering a custom endpoint that deserializes incoming data without applying serialization filters, enabling potential remote code execution (RCE) on JDK versions 16 and earlier. This issue is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 9.8 (Critical), reflecting its high impact due to network-based exploitation without authentication.

Exploitation requires three conditions: OpenTelemetry Java Instrumentation attached as a Java agent (-javaagent) on JDK 16 or earlier; a JMX/RMI port explicitly configured via -Dcom.sun.management.jmxremote.port and network-reachable; and a gadget-chain-compatible library present on the classpath. An attacker with network access to the exposed JMX or RMI port can send malicious serialized data, achieving arbitrary RCE with the privileges of the user running the instrumented JVM.

Advisories recommend upgrading to version 2.26.1 or later for JDK versions below 17, while no immediate action is required for JDK 17 and above, though upgrading is encouraged. As a workaround, disable the RMI integration by setting the system property -Dotel.instrumentation.rmi.enabled=false. Details are available in the OpenTelemetry GitHub security advisory (GHSA-xw7x-h9fj-p2c7), the v2.26.1 release notes, and the fixing commit (9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with…

more

network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated RCE via malicious deserialization over an exposed network-reachable JMX/RMI port, directly mapping to T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35171Same vendor: Linuxfoundation
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-37530Same vendor: Linuxfoundation
CVE-2026-24124Same vendor: Linuxfoundation
CVE-2024-24421Same vendor: Linuxfoundation
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502

Affected Assets

linuxfoundation
opentelemetry instrumentation for java
≤ 2.26.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely flaw remediation, directly mitigating this CVE by requiring upgrades to OpenTelemetry Java Instrumentation version 2.26.1 or later.

prevent

CM-6 enforces secure configuration settings, such as setting -Dotel.instrumentation.rmi.enabled=false or restricting JMX/RMI port exposure to prevent network access.

prevent

SC-7 implements boundary protection to monitor and control communications at external interfaces, blocking unauthorized network access to vulnerable JMX/RMI ports.

References