dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
Description
dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, dd-trace-java is attached as a Java agent (-javaagent) on Java 16 or earlier. Second, a JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable, Third, a gadget-chain-compatible library is present on the classpath. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK >= 8u121 < JDK 17, upgrade to dd-trace-java version 1.60.3 or later. For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround. The workaround is to set the following environment variable to disable the RMI integration: DD_INTEGRATION_RMI_ENABLED=false.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
dd-trace-java RMI instrumentation deserializes untrusted data without filters, enabling RCE on JDK ≤16 when JMX/RMI is exposed and a gadget chain is present.
Vulnerability
Overview
The Datadog APM client for Java, dd-trace-java, versions 0.40.0 through prior to 1.60.2, contains an unsafe deserialization vulnerability in its RMI instrumentation [1][3]. The instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters, contrary to secure coding practices for Java deserialization [1].
Exploitation
Conditions
Exploitation requires three specific conditions to be met simultaneously [1][3]. First, dd-trace-java must be attached as a Java agent (-javaagent) on a JVM running Java 16 or earlier. Second, a JMX/RMI port must be explicitly configured via -Dcom.sun.management.jmxremote.port and be network-reachable. Third, a gadget-chain-compatible library must be present on the classpath. An attacker with network access to the exposed JMX or RMI port can then send crafted serialized data to trigger deserialization [1][3].
Impact
Successful exploitation can lead to arbitrary remote code execution with the privileges of the user running the instrumented JVM [3]. This represents a critical risk, as it could allow an attacker to fully compromise the affected application and underlying system.
Mitigation
For JDK 17 and later, no action is required, but upgrading is strongly encouraged [1][3]. For JDK versions 8u121 through 16, users should upgrade to dd-trace-java version 1.60.3 or later, which applies serialization filters [2][3]. For JDK versions earlier than 8u121, where serialization filters are not available, the recommended workaround is to disable the RMI integration by setting the environment variable DD_INTEGRATION_RMI_ENABLED=false [1][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.datadoghq:dd-java-agentMaven | >= 0.40.0, < 1.60.3 | 1.60.3 |
Affected products
2- Range: >=0.40.0 <1.60.2
- DataDog/dd-trace-javav5Range: >= 0.40.0, < 1.60.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-579q-h82j-r5v2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33728ghsaADVISORY
- github.com/DataDog/dd-trace-java/releases/tag/v1.60.3ghsax_refsource_MISCWEB
- github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.