CVE-2026-54712
Received Received - Intake

Remote Code Execution in OpenTelemetry Java Instrumentation

Vulnerability report for CVE-2026-54712, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry java_instrumentation to 2.27.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenTelemetry Java Instrumentation versions prior to 2.27.0. It involves the RMI context propagation payload reader, which limits the number of context entries but does not limit the total size of the strings read from the stream.

An attacker who can access an RMI endpoint on a JVM instrumented with OpenTelemetry can send an oversized context propagation payload. Because the payload size is not properly limited, this can cause excessive memory allocation during processing.

This excessive memory allocation can lead to a denial of service condition by exhausting system resources.

Impact Analysis

If you are running a Java application instrumented with OpenTelemetry that has RMI instrumentation enabled and the RMI endpoint is reachable over the network, this vulnerability can be exploited by an attacker.

The impact is a potential denial of service caused by excessive memory allocation when processing an oversized context propagation payload sent by the attacker.

This could lead to application crashes, degraded performance, or unavailability of services.

Mitigation Strategies

To mitigate this vulnerability, ensure that your OpenTelemetry Java Instrumentation version is updated to 2.27.0 or later.

Additionally, if RMI instrumentation is enabled and RMI endpoints are network-reachable, consider disabling RMI instrumentation or restricting network access to RMI endpoints until the update can be applied.

Compliance Impact

The vulnerability described in CVE-2026-54712 causes a denial of service through excessive memory allocation when an attacker sends an oversized context propagation payload to an RMI endpoint on an instrumented JVM. It does not involve unauthorized access, data leakage, or modification of data.

Since the vulnerability does not impact confidentiality or integrity of data, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal and sensitive data.

However, denial of service incidents can indirectly affect availability requirements under some standards, so organizations relying on OpenTelemetry Java Instrumentation with RMI enabled should consider this risk in their availability and incident response planning.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54712. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart