EXECUTIVE SUMMARY:
A critical vulnerability has been identified CVE-2026-33701 in OpenTelemetry Java instrumentation where improper handling of deserialization within RMI instrumentation allows attackers to exploit exposed endpoints. The flaw occurs because incoming data is deserialized without enforcing adequate serialization filtering, enabling malicious payload injection. If specific conditions are met such as the application running with the Java agent enabled, an accessible RMI or JMX endpoint, and the presence of a compatible gadget chain an attacker with network access can achieve remote code execution on the affected system. Successful exploitation can result in full compromise of the targeted environment, impacting confidentiality, integrity, and availability, as the attacker gains execution privileges equivalent to the running process. The vulnerability has a CVSS score of 9.3.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: