Which versions of Java are affected by CVE-2026-33701?

A critical remote code execution vulnerability in OpenTelemetry Java instrumentation could allow attackers to gain complete control of affected applications if they can reach exposed RMI/JMX…. A patch is available.

How to fix or mitigate CVE-2026-33701?

Within 24 hours: Identify all applications using OpenTelemetry Java agent versions prior to 2.26.1 and assess network exposure of RMI/JMX endpoints. Within 7 days: Apply vendor patch to upgrade OpenTelemetry Java instrumentation to version 2.26.1 or later across all affected systems, prioritizing internet-facing and high-risk applications. Within 30 days: Complete patching of all remaining systems and conduct post-patch verification testing to ensure monitoring functionality remains intact.

Java CVE-2026-33701

Q: What is the CVSS score of CVE-2026-33701?

CVE-2026-33701 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.5%.

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-03-25 https://github.com/open-telemetry/opentelemetry-java-instrumentation

RCE Java Deserialization Red Hat

9.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Red Hat

8.1 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 25, 2026 - 21:32 vuln.today

Patch released

Mar 25, 2026 - 21:32 nvd

Patch available

CVE Published

Mar 25, 2026 - 21:27 nvd

CRITICAL 9.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on io.opentelemetry.javaagent:opentelemetry-javaagent (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.26.1.

DescriptionGitHub Advisory

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:

OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent)
An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)
A gadget-chain-compatible library is present on the classpath

Impact

Arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Recommendation

Upgrade to version 2.26.1 or later.

Workarounds

Set the following system property to disable the RMI integration:

-Dotel.instrumentation.rmi.enabled=false

Credits

This vulnerability was responsibly disclosed in coordination with Datadog.

Articles & Coverage 1

securityonline.info CVE-2026-33701: Critical RCE in OpenTelemetry Java Agent RMI Instrumentation (CVSS 9.3)

AnalysisAI

A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Connect to exposed RMI endpoint

Exploit

Send serialized malicious gadget chain

Execution

Deserialize without filters

Impact

Execute arbitrary code on JVM

Access

Connect to exposed RMI endpoint

Exploit

Send serialized malicious gadget chain

Execution

Deserialize without filters

Impact

Execute arbitrary code on JVM

Vulnerability AssessmentAI

Exploitation	Requires OpenTelemetry Java instrumentation attached as Java agent (-javaagent) in versions prior to 2.26.1, with network-reachable RMI endpoint (JMX remote port, RMI registry, or application-exported RMI service), and available gadget chain. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate to high but requires specific preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans for exposed JMX remote ports (commonly 9010, 9020, or custom ports) on instrumented application servers. Upon discovering an accessible JMX endpoint on a JVM running OpenTelemetry Java agent prior to 2.26.1, the attacker crafts a malicious serialized Java object containing a gadget chain (e.g., using ysoserial with Commons Collections) and sends it to the RMI endpoint. …
Remediation	Upgrade OpenTelemetry Java instrumentation to version 2.26.1 or later, as documented in the release notes at https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1 and the patch commit at https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications using OpenTelemetry Java agent versions prior to 2.26.1 and assess network exposure of RMI/JMX endpoints. …

Threat intelligence, references, and detailed analysis are available after sign-in.