CVE-2026-33728

dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3	Product Release Notes
https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:datadog:dd-trace-java:*:*:*:*:*:*:*:*

History

03 Jun 2026, 14:21

Type	Values Removed	Values Added
First Time		Datadog Datadog dd-trace-java
CPE		cpe:2.3:a:datadog:dd-trace-java::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3 -~~	() https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3 - Product, Release Notes
References	~~() https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2 -~~	() https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2 - Mitigation, Vendor Advisory

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) dd-trace-java es un cliente APM de Datadog para Java. En las versiones de dd-trace-java 0.40.0 hasta la anterior a 1.60.2, la instrumentación RMI registró un punto final personalizado que deserializaba los datos entrantes sin aplicar filtros de serialización. En la versión 16 de JDK y anteriores, un atacante con acceso de red a un puerto JMX o RMI en una JVM instrumentada podría explotar esto para lograr potencialmente la ejecución remota de código. Las tres condiciones siguientes deben ser verdaderas para explotar esta vulnerabilidad: Primero, dd-trace-java está adjunto como un agente Java ('-javaagent') en Java 16 o anterior. Segundo, un puerto JMX/RMI ha sido configurado explícitamente a través de '-Dcom.sun.management.jmxremote.port' y es accesible por red. Tercero, una biblioteca compatible con cadenas de gadgets está presente en el classpath. Para JDK >= 17, no se requiere ninguna acción, pero se recomienda encarecidamente la actualización. Para JDK >= 8u121 < JDK 17, actualice a la versión 1.60.3 o posterior de dd-trace-java. Para JDK < 8u121 y anteriores donde los filtros de serialización no están disponibles, aplique la solución alternativa. La solución alternativa es establecer la siguiente variable de entorno para deshabilitar la integración RMI: 'DD_INTEGRATION_RMI_ENABLED=false'.

27 Mar 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 01:16

Updated : 2026-06-03 14:21

NVD link : CVE-2026-33728

Mitre link : CVE-2026-33728

CVE.ORG link : CVE-2026-33728

JSON object : View

Products Affected

datadog

dd-trace-java

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10