{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33728", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.560Z", "datePublished": "2026-03-27T00:25:56.444Z", "dateUpdated": "2026-03-27T00:25:56.444Z"}, "containers": {"cna": {"title": "dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2"}, {"name": "https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3"}], "affected": [{"vendor": "DataDog", "product": "dd-trace-java", "versions": [{"version": ">= 0.40.0, < 1.60.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:25:56.444Z"}, "descriptions": [{"lang": "en", "value": "dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`."}], "source": {"advisory": "GHSA-579q-h82j-r5v2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`."}], "id": "CVE-2026-33728", "lastModified": "2026-03-27T01:16:20.203", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:20.203", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.40.0,1.60.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dd-trace-java", "source": "cna", "vendor": "DataDog"}, "product": "dd-trace-java", "vendor": "datadog"}], "analysis": {"en": {"generated_at": "2026-03-27T06:24:33.033864+00:00", "value": {"mitigation_remediation": ["Upgrade dd\u2011trace\u2011java to version 1.60.3 or later on all affected JDK versions (8u121 or newer).", "If upgrading is not possible, disable the vulnerable RMI integration by setting the environment variable DD_INTEGRATION_RMI_ENABLED=false.", "Verify that JMX/RMI ports are not exposed to untrusted networks and remove any gadget\u2011chain libraries from the classpath.", "Ensure the Java runtime is upgraded to JDK\u00a017 or higher, which provides built\u2011in serialization filters that eliminate the unsafe deserialization path."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected vendor is DataDog, with the product dd\u2011trace\u2011java. Versions from 0.40.0 through 1.60.2 are vulnerable. The issue applies only to Java 8u121 up to, but not including, JDK 17. Java 17 and later provide serialization filters that mitigate the flaw. For JDK versions older than 8u121, serialization filters are not available, making the vulnerability more severe. Users running dd\u2011trace\u2011java before 1.60.3 on Java 8u121 or higher, or on older JDKs with the agent attached, are at risk.", "description_and_impact": "dd-trace-java, a Datadog APM client for Java contains an RMI endpoint that deserializes incoming data without applying serialization filters. The flaw, classified as CWE\u2011502, allows an attacker who can reach the JMX or RMI port of a JVM instrumented with dd\u2011trace\u2011java (versions 00 through 1.60.2) to exploit an unsafe deserialization path and potentially execute arbitrary code on the guest operating system. the vulnerability requires three conditions: the Java agent must be attached, a JMX/RMI port must be configured and network\u2011reachable, and a gadget\u2011chain compatible library must exist on the classpath. When all three conditions are satisfied, the attacker can gain full control of the JVM process, yielding confidentiality, integrity, and availability compromise.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.3, indicating a critical risk level. The EPSS score is not available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Attackers would need network access to a reachable JMX or RMI port, which is typically limited to internal networks. The vulnerability is remotely exploitable through the RMI interface, and requires the presence of gadget\u2011chain libraries in the JVM classpath. The realistic likelihood of exploitation depends on whether the environment exposes the JMX/RMI port externally and whether vulnerable libraries are present. Such conditions are common in production deployments of dd\u2011trace\u2011java without proper network hardening, making the overall risk high for impacted configurations."}}}}, "created": "2026-03-27T08:31:11.552560+00:00", "updated": "2026-03-27T09:22:33.878882+00:00", "vendors": ["datadog", "datadog$PRODUCT$dd-trace-java"]}