What is CVE-2026-33701?

CVE-2026-33701 is a vulnerability in Open-telemetry Opentelemetry-java-instrumentation, classified under Deserialization of Untrusted Data. Published 2026-03-27.

Is CVE-2026-33701 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Open-telemetry Opentelemetry-java-instrumentation

CVE-2026-33701

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data withou…

Vulnerability class: Insecure Deserialization

EPSS: 0.002 (43.9th percentile) — read the EPSS interpretation.

Affected products

Open-telemetry Opentelemetry-java-instrumentation — versions < 2.26.1

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

pl4tyz/CVE-2026-33701-Unsafe-Deserialization-in-OpenTelemetry-Java-Agent-RMI-Instrumentation

References

https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7 (x_refsource_CONFIRM)
https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197 (x_refsource_MISC)
https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33701?: CVE-2026-33701 is a vulnerability in Open-telemetry Opentelemetry-java-instrumentation, classified under Deserialization of Untrusted Data. Published 2026-03-27.
Is CVE-2026-33701 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.