Lauri Tulmin

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry Java Instrumentation versions prior to 2.26.1 **Description** The Java instrumentation for OpenTelemetry registers a custom endpoint that deserializes incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could potentially achieve remote code execution. Three conditions must be met for exploitation: OpenTelemetry Java instrumentation must be attached as a Java agent (`-javaagent`), a JMX/RMI port must be explicitly configured and network-reachable, and a gadget-chain-compatible library must be present on the classpath. Successful exploitation can lead to arbitrary remote code execution with the privileges of the user running the instrumented JVM. **Recommendations** Versions prior to 2.26.1: Upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.