Java
CVE-2026-33728
CRITICAL
GHSA-579q-h82j-r5v2
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
- dd-trace-java is attached as a Java agent (
-javaagent) on Java 16 or earlier - A JMX/RMI port has been explicitly configured via
-Dcom.sun.management.jmxremote.portand is network-reachable - A gadget-chain-compatible library is present on the classpath
Impact
Arbitrary remote code execution with the privileges of the user running the instrumented JVM.
Recommendation
- For JDK >= 17: No action is required, but upgrading is strongly encouraged.
- For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later.
- For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below.
Workarounds
Set the following environment variable to disable the RMI integration: DD_INTEGRATION_RMI_ENABLED=false
Credits
This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.
AnalysisAI
Remote code execution is possible in DataDog's dd-trace-java agent versions prior to 1.60.3 when running on JDK 16 or earlier with exposed JMX/RMI ports. The vulnerability stems from unsafe deserialization in the RMI instrumentation's custom endpoint, allowing network-accessible attackers to execute arbitrary code if gadget-chain libraries exist on the classpath. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires dd-trace-java versions prior to 1.60.3 attached as Java agent (-javaagent) on Java 16 or earlier with JMX/RMI port explicitly configured via -Dcom.sun.management.jmxremote.port. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is constrained by three mandatory preconditions: the agent must run on JDK 16 or earlier (increasingly uncommon in production), JMX/RMI ports must be explicitly configured and network-reachable (typically disabled or firewalled in secure deployments), and exploitable gadget-chain libraries must exist on the classpath. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to an exposed JMX port (typically TCP 9010 or similar) on a server running dd-trace-java prior to 1.60.3 on JDK 16 crafts a malicious serialized Java object containing a gadget chain leveraging libraries like Apache Commons Collections present in the application classpath. When the attacker sends this payload to the vulnerable RMI endpoint registered by the dd-trace-java agent, the unsafe deserialization process executes the gadget chain, allowing the attacker to run arbitrary commands with the privileges of the JVM process, potentially achieving full system compromise depending on the service account permissions. |
| Remediation | Upgrade dd-trace-java to version 1.60.3 or later, as documented in the vendor advisory at https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2 and release announcement at https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running dd-trace-java agent versions prior to 1.60.3, prioritize those with JDK 16 or earlier and exposed JMX/RMI ports, and isolate or restrict network access to these ports. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate
Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
Share
External POC / Exploit Code
Leaving vuln.today