VulnerableCode Package Details - pkg:maven/com.datadoghq/dd-java-agent@1.29.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-by16-x54c-43cd Aliases: CVE-2026-33728 GHSA-579q-h82j-r5v2	dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier 2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation - For JDK >= 17: No action is required, but upgrading is strongly encouraged. - For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later. - For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below. ### Workarounds Set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false` ### Credits This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.	1.60.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-by16-x54c-43cd
Aliases:
CVE-2026-33728
GHSA-579q-h82j-r5v2

dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier 2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation - For JDK >= 17: No action is required, but upgrading is strongly encouraged. - For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later. - For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below. ### Workarounds Set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false` ### Credits This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.

1.60.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:36:30.060023+00:00	GitLab Importer	Affected by	VCID-by16-x54c-43cd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.datadoghq/dd-java-agent/CVE-2026-33728.yml	38.6.0

2026-06-06T07:36:30.060023+00:00

GitLab Importer

Affected by

VCID-by16-x54c-43cd

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.datadoghq/dd-java-agent/CVE-2026-33728.yml

38.6.0

Next non-vulnerable version	1.60.3
Latest non-vulnerable version	1.60.3
Risk	4.5