CVE-2026-33728

Name of the Vulnerable Software and Affected Versions dd-trace-java versions 0.40.0 through prior to 1.60.2

Description dd-trace-java is a Datadog APM client for Java. The RMI instrumentation in affected versions registered a custom endpoint that deserialized incoming data without applying serialization filters. On Java Development Kit (JDK) version 16 and earlier, an attacker with network access to a Java Management Extensions (JMX) or Remote Method Invocation (RMI) port on an instrumented Java Virtual Machine (JVM) could potentially achieve remote code execution. Three conditions must be met for exploitation: First, dd-trace-java must be attached as a Java agent (-javaagent) on Java 16 or earlier. Second, a JMX/RMI port must be explicitly configured via -Dcom.sun.management.jmxremote.port and be network-reachable. Third, a gadget-chain-compatible library must be present on the classpath. The vulnerability involves unsafe deserialization, which could lead to arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Recommendations For JDK versions 17 and later: No action is required, but upgrading is strongly encouraged. For JDK versions 8u121 through prior to 17: Upgrade to dd-trace-java version 1.60.3 or later. For JDK versions earlier than 8u121 where serialization filters are not available: Set the environment variable DD INTEGRATION RMI ENABLED=false to disable the RMI integration.