GHSA-xw7x-h9fj-p2c7: OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
Summary
OpenTelemetry Java instrumentation versions before 2.26.1 have a vulnerability in RMI instrumentation where incoming data is deserialized without proper validation, allowing attackers with network access to potentially execute arbitrary code on the affected system. The attack requires three conditions: OpenTelemetry must be running as a Java agent, an RMI endpoint (remote method invocation, a Java system for calling methods on remote servers) must be accessible over the network, and a gadget-chain-compatible library (a collection of existing code that can be chained together to execute unintended commands) must be present.
Solution / Mitigation
Upgrade to OpenTelemetry version 2.26.1 or later. Alternatively, disable RMI integration by setting the system property `-Dotel.instrumentation.rmi.enabled=false`.
Vulnerability Details
EPSS: 0.0%
Yes
March 25, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-xw7x-h9fj-p2c7
First tracked: March 25, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%