VulnerableCode Package Details - pkg:maven/io.opentelemetry.javaagent/opentelemetry-javaagent@2.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-6nv2-yfgc-rubk Aliases: CVE-2026-33701 GHSA-xw7x-h9fj-p2c7	OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.	2.26.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6nv2-yfgc-rubk
Aliases:
CVE-2026-33701
GHSA-xw7x-h9fj-p2c7

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration.

2.26.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:37:05.847872+00:00	GitLab Importer	Affected by	VCID-6nv2-yfgc-rubk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.opentelemetry.javaagent/opentelemetry-javaagent/CVE-2026-33701.yml	38.6.0

2026-06-12T21:37:05.847872+00:00

GitLab Importer

Affected by

VCID-6nv2-yfgc-rubk

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.opentelemetry.javaagent/opentelemetry-javaagent/CVE-2026-33701.yml

38.6.0

Next non-vulnerable version	2.26.1
Latest non-vulnerable version	2.26.1
Risk	4.5