External risk intelligence

Datadog Java Agent RMI Deserialization Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-33728

The `dd-trace-java` component has a vulnerability that could allow unauthorized code execution. This affects organizations using Java 16 or earlier with specific network configurations. Attackers could gain control of systems and compromise data. Action is advised to mitigate risk.

2Halo Surface Signal

Deserialization

Datadog Dd Trace Java

0.40.0 to before 1.60.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-33728

The vulnerability requires an explicitly configured JMX/RMI port to be network-reachable. While network-reachable, these management ports are typically restricted to internal administrative networks and are rarely exposed directly to the public internet in common, secure deployment practices.

PCI scan relevance

PCI Relevance for CVE-2026-33728

Yes

CVE-2026-33728 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in dd-trace-java allows for remote code execution, which would likely cause a PCI ASV scan to fail. It affects applications using specific Java versions and network-accessible JMX or RMI ports.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The `dd-trace-java` component is vulnerable due to improper handling of deserialized data. This flaw allows an attacker with network access to specific ports on an affected system to execute arbitrary code. The potential impact includes unauthorized system control and data compromise.

  • Vulnerable component: `dd-trace-java` instrumentation
  • Core weakness: Unfiltered data deserialization
  • Main business impact: Remote code execution

Attack Path

How an attacker could exploit the issue

The vulnerability arises when the dd-trace-java agent is used with Java 16 or earlier, and a JMX or RMI port is network-accessible. An attacker can leverage a compatible library on the classpath to deserialize data without proper filtering. This allows the attacker to execute arbitrary code on the instrumented JVM.

  • Java agent on Java 16 or earlier.
  • Network-accessible JMX/RMI port.
  • Attacker triggers deserialization.
  • Attacker achieves code execution.

Live Threat

Current exploitation, exposure, and threat context

The `dd-trace-java` component contains a vulnerability that could allow attackers to execute arbitrary code. This occurs when specific conditions are met, including the use of Java 16 or earlier, network access to a JMX or RMI port, and the presence of compatible libraries. Organizations using affected versions and meeting these criteria face a significant risk.

  • Attackers with network access.
  • Explicit JMX/RMI port configured.
  • High business risk; urgent action advised.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts organizations using the dd-trace-java agent on Java 16 or earlier. Exploitation requires specific network configurations and the presence of compatible libraries. An attacker could potentially gain remote code execution capabilities on an affected Java Virtual Machine (JVM). This poses a significant risk to the confidentiality, integrity, and availability of systems and data.

  • Find affected Java applications and their configurations.
  • Disable RMI integration if the workaround is applicable.
  • Update dd-trace-java to a secure version and verify.

Frequently asked questions

What is dd-trace-java and what is it used for?

dd-trace-java is a Datadog application performance monitoring (APM) client for Java applications. It is used to trace and monitor the performance of Java programs, helping developers understand and optimize their applications.

How does CVE-2026-33728 impact dd-trace-java?

CVE-2026-33728 is a deserialization vulnerability in dd-trace-java. When Java 16 or earlier is used, and a JMX or RMI port is network-reachable, an attacker could exploit this weakness (CWE-502) to deserialize data without proper filtering, potentially leading to remote code execution.

What conditions must be met for an attacker to exploit CVE-2026-33728?

An attacker must meet three conditions: dd-trace-java must be attached as a Java agent on Java 16 or earlier, a JMX/RMI port must be explicitly configured and network-reachable, and a library compatible with gadget-chain attacks must be present in the application's classpath.

Who should be concerned about this vulnerability based on its exposure?

Organizations that have dd-trace-java attached to Java applications running on Java 16 or earlier, and where JMX/RMI ports are explicitly configured and accessible over the network, should be concerned. This vulnerability is classified as external because it can be exploited over the network.

What are the first steps for addressing this vulnerability in dd-trace-java?

First, identify all Java applications using dd-trace-java on Java 16 or earlier. If applicable, consider disabling the RMI integration by setting the environment variable DD_INTEGRATION_RMI_ENABLED=false. Finally, upgrade dd-trace-java to version 1.60.3 or later.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified