VulnerableCode Package Details - pkg:maven/io.opentelemetry.javaagent/opentelemetry-javaagent@2.26.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6nv2-yfgc-rubk	OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.	CVE-2026-33701 GHSA-xw7x-h9fj-p2c7

Vulnerability

Summary

Aliases

VCID-6nv2-yfgc-rubk

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

CVE-2026-33701
GHSA-xw7x-h9fj-p2c7

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:28:18.841785+00:00	GHSA Importer	Fixing	VCID-6nv2-yfgc-rubk	https://github.com/advisories/GHSA-xw7x-h9fj-p2c7	38.6.0
2026-06-12T21:37:05.987592+00:00	GitLab Importer	Fixing	VCID-6nv2-yfgc-rubk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.opentelemetry.javaagent/opentelemetry-javaagent/CVE-2026-33701.yml	38.6.0
2026-06-12T07:49:46.799105+00:00	GithubOSV Importer	Fixing	VCID-6nv2-yfgc-rubk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xw7x-h9fj-p2c7/GHSA-xw7x-h9fj-p2c7.json	38.6.0