Critical 9.3 CVSS RCE Vulnerability Hit in OpenTelemetry Java Agent

A critical vulnerability has been uncovered in the OpenTelemetry Instrumentation for Java, a popular tool used by developers to gather performance data without changing a single line of application code. The flaw, designated as CVE-2026-33701, carries a CVSS score of 9.3, signaling a “Critical” threat level for Java-based enterprise environments.

OpenTelemetry’s Java agent works by dynamically injecting bytecode into applications at runtime. While this provides seamless monitoring, researchers have discovered that one of its core instrumentation components—designed to monitor Remote Method Invocation (RMI)—actually creates a dangerous backdoor for attackers.

The vulnerability stems from how the Java agent’s RMI instrumentation handles incoming data. In versions prior to 2.26.1, the agent registers a custom endpoint that deserializes data from the network without applying modern security “serialization filters”.

An attacker with network access to a JMX or RMI port can send a malicious payload. Because the agent doesn’t check the data properly before processing it, the JVM can be tricked into executing the attacker’s commands.

If successful, the attacker gains the ability to run arbitrary code with the exact same system privileges as the user running the Java application.

Security experts note that three specific conditions must align for an application to be vulnerable to this RCE (Remote Code Execution) attack:

1. The OpenTelemetry Java instrumentation must be actively attached to the application as a -javaagent
2. An RMI-related service, such as a JMX remote port or an RMI registry, must be reachable over the network.
3. A library compatible with “gadget-chains” (common in many standard Java environments) must be present on the application’s classpath.

The OpenTelemetry maintainers have moved quickly to patch the hole. The primary recommendation for all users is to upgrade to version 2.26.1 or later immediately.

If an immediate upgrade is not feasible, the RMI instrumentation can be explicitly disabled. This is done by adding the following system property to your application’s startup command:

-Dotel.instrumentation.rmi.enabled=false

By disabling this specific integration, you close the vulnerable endpoint while keeping the rest of your telemetry active. However, security teams are urged to treat this as a stopgap measure only until the patched agent can be deployed.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.