OpenTelemetry RMI Instrumentation Unsafe Deserialization RCE
A remote code execution vulnerability exists in OpenTelemetry Java agent versions prior to 2.26.1 due to unsafe deserialization in the RMI instrumentation, potentially allowing attackers with network access to execute arbitrary code on vulnerable systems.
OpenTelemetry is an observability framework providing APIs, SDKs, and tools for collecting telemetry data from applications. A critical vulnerability, CVE-2026-33701, affects OpenTelemetry Java agent versions prior to 2.26.1. The vulnerability stems from the RMI instrumentation registering a custom endpoint that deserializes incoming data without proper serialization filters. This exposes a potential remote code execution (RCE) risk. Successful exploitation requires the OpenTelemetry Java agent to be attached as a Java agent (-javaagent), a network-reachable RMI endpoint (e.g., JMX, RMI registry), and the presence of a gadget-chain-compatible library on the classpath. This vulnerability was responsibly disclosed in coordination with Datadog.
Attack Chain
- An attacker identifies a target JVM running a vulnerable version of the OpenTelemetry Java agent (prior to 2.26.1).
- The attacker confirms that the target JVM has a network-reachable RMI endpoint (e.g., JMX remote port).
- The attacker ensures a gadget-chain-compatible library (e.g., those used in typical Java deserialization attacks) is present on the target's classpath.
- The attacker crafts a malicious serialized Java object (payload) designed to execute arbitrary code when deserialized. This payload leverages a known gadget chain within the available libraries.
- The attacker sends the malicious serialized object to the vulnerable RMI endpoint exposed by the OpenTelemetry Java agent's RMI instrumentation.
- The OpenTelemetry Java agent deserializes the object without proper validation, triggering the gadget chain.
- The gadget chain executes arbitrary code within the context of the JVM process.
- The attacker achieves remote code execution, potentially gaining full control of the compromised system.
Impact
Successful exploitation of CVE-2026-33701 allows for arbitrary remote code execution with the privileges of the user running the instrumented JVM. This could lead to complete system compromise, data theft, or denial of service. Given the widespread use of OpenTelemetry for monitoring, a successful attack could have significant implications for affected organizations.
Recommendation
- Upgrade to OpenTelemetry Java agent version 2.26.1 or later to remediate CVE-2026-33701.
- Apply the provided workaround by setting the system property
-Dotel.instrumentation.rmi.enabled=falseto disable the vulnerable RMI integration.
Detection coverage 2
Detect OpenTelemetry RMI Instrumentation Attempt
highDetects potential attempts to exploit the OpenTelemetry RMI instrumentation vulnerability by monitoring for network connections to common RMI ports from unusual processes.
Detect OpenTelemetry RMI System Property Override
infoDetects attempts to disable OpenTelemetry RMI instrumentation by setting the 'otel.instrumentation.rmi.enabled' system property to 'false'.
Detection queries are available on the platform. Get full rules →