Executive Summary

CVE-2026-33728 is a critical security vulnerability in the dd-trace-java agent, a Datadog APM client for Java. The issue occurs in versions 0.40.0 through 1.60.2, where the RMI (Remote Method Invocation) instrumentation registers a custom endpoint that deserializes incoming data without applying serialization filters.

This flaw affects Java Development Kit (JDK) versions 16 and earlier. An attacker with network access to a JMX or RMI port on a JVM instrumented with dd-trace-java can exploit this vulnerability to potentially execute arbitrary code remotely.

Exploitation requires three conditions: dd-trace-java must be attached as a Java agent on JDK 16 or earlier; a JMX/RMI port must be explicitly configured and network-accessible; and a gadget-chain-compatible library must be present on the classpath to facilitate the deserialization attack.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker to achieve remote code execution (RCE) on the affected system with the privileges of the user running the JVM.

Because the attack requires no privileges or user interaction and has a network-based attack vector with low complexity, it poses a high risk to confidentiality, integrity, and availability of the vulnerable system.

Successful exploitation could lead to arbitrary code execution remotely, potentially compromising the entire system running the dd-trace-java agent.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if dd-trace-java is attached as a Java agent on a JVM running JDK 16 or earlier, and if a JMX or RMI port is explicitly configured and network-accessible.

You can check for the presence of the dd-trace-java Java agent by inspecting the JVM process command line for the '-javaagent' argument referencing dd-trace-java.

To verify if a JMX/RMI port is configured and listening, you can use commands like:

• On Linux, run: `netstat -tuln | grep <port>` or `ss -tuln | grep <port>` to check if the JMX/RMI port is open and listening.
• Use `jps -lv` to list Java processes and their arguments to confirm if dd-trace-java is attached.
• Check environment variables or JVM options for `-Dcom.sun.management.jmxremote.port` to identify the configured JMX/RMI port.

Additionally, verifying the Java version (JDK 16 or earlier) and presence of gadget-chain-compatible libraries on the classpath is necessary to assess exploitability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps depend on your JDK version and dd-trace-java version:

• If you are running JDK versions between 8u121 and 16, upgrade dd-trace-java to version 1.60.3 or later, which fixes the vulnerability by securing RMI serialization.
• For JDK 17 and above, no action is required, but upgrading dd-trace-java is still strongly encouraged.
• For JDK versions earlier than 8u121, where serialization filters are not available, apply the workaround by setting the environment variable `DD_INTEGRATION_RMI_ENABLED=false` to disable the RMI integration.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in dd-trace-java allows remote code execution on affected systems, which compromises the confidentiality, integrity, and availability of the system. Such a compromise can lead to unauthorized access to sensitive data and disruption of services.

Because of these impacts, organizations using vulnerable versions of dd-trace-java on affected JDK versions may face challenges in maintaining compliance with common standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and system integrity.

Mitigating the vulnerability by upgrading to dd-trace-java version 1.60.3 or later, or applying the recommended workaround, is essential to reduce the risk of non-compliance due to potential data breaches or system compromises.

Useful 0 Not Useful 0