CVE-2026-33701

Name of the Vulnerable Software and Affected Versions OpenTelemetry Java Instrumentation versions prior to 2.26.1

Description The Java instrumentation for OpenTelemetry registers a custom endpoint that deserializes incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could potentially achieve remote code execution. Three conditions must be met for exploitation: OpenTelemetry Java instrumentation must be attached as a Java agent (-javaagent), a JMX/RMI port must be explicitly configured and network-reachable, and a gadget-chain-compatible library must be present on the classpath. Successful exploitation can lead to arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Recommendations Versions prior to 2.26.1: Upgrade to version 2.26.1 or later. As a workaround, set the system property -Dotel.instrumentation.rmi.enabled=false to disable the RMI integration.