{"data":{"id":"9960d4a1-33c8-4aa0-b440-aca50e252d69","title":"GHSA-xw7x-h9fj-p2c7: OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution","summary":"OpenTelemetry Java instrumentation versions before 2.26.1 have a vulnerability in RMI instrumentation where incoming data is deserialized without proper validation, allowing attackers with network access to potentially execute arbitrary code on the affected system. The attack requires three conditions: OpenTelemetry must be running as a Java agent, an RMI endpoint (remote method invocation, a Java system for calling methods on remote servers) must be accessible over the network, and a gadget-chain-compatible library (a collection of existing code that can be chained together to execute unintended commands) must be present.","solution":"Upgrade to OpenTelemetry version 2.26.1 or later. Alternatively, disable RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-xw7x-h9fj-p2c7","publishedAt":"2026-03-25T21:27:43.000Z","cveId":"CVE-2026-33701","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["io.opentelemetry.javaagent:opentelemetry-javaagent@< 2.26.1 (fixed: 2.26.1)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-25T21:27:43.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}