Elastic OTel Java 1.10.0 Security Update (ESA-2026-22 / GHSA-xw7x-h9fj-p2c7)

ismisepaul · March 30, 2026, 2:17pm

Dependency on Vulnerable Third-Party Component in Elastic OTel Java Leading to Remote Code Execution

Dependency on Vulnerable Third-Party Component (CWE-1395) exists in Elastic OTel Java via a dependency on OpenTelemetry Java instrumentation library. This vulnerability could allow an attacker to perform remote code execution via Object Injection (CAPEC-586). Exploitation requires an attacker with network access to a reachable RMI endpoint on an instrumented JVM that triggers the known vulnerability CVE-2026-33701 / GHSA-xw7x-h9fj-p2c7.

Affected Versions:

All Elastic OTel Java versions up to and including 1.9.0

Affected Configurations:

This vulnerability requires all three of the following conditions to be true:

Elastic OTel Java is attached to the application as a Java agent (-javaagent)
An RMI endpoint is network-reachable (e.g., JMX remote port, an RMI registry, or any application-exported RMI service)
A gadget-chain-compatible library is present on the application's classpath

Deployments that do not expose RMI endpoints to the network, or that do not have gadget-chain-compatible libraries on the classpath, are not exploitable.

Solutions and Mitigations:

The issue is resolved in version 1.10.0, which updates the embedded OpenTelemetry Java instrumentation to version 2.26.1.

For Users that Cannot Upgrade:

Disable the RMI instrumentation by setting the following JVM system property:

-Dotel.instrumentation.rmi.enabled=false

This workaround applies to both self-managed and Kubernetes-based deployments. When using the OpenTelemetry Operator for auto-instrumentation on Kubernetes, this property can be added via the Instrumentation object's environment configuration or through the JAVA_TOOL_OPTIONS environment variable on the instrumented Pod.

Indicators of Compromise (IOC)

Monitor for the following indicators:

Unexpected inbound network connections to RMI or JMX ports on instrumented JVMs
Unusual process execution or child processes spawned by the instrumented JVM
Anomalous deserialization activity in application or JVM logs, particularly stack traces referencing RMI endpoints

Severity: CVSSv4.0: Critical ( 9.3 ) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE ID: CVE-2026-33701
GHSA: GHSA-xw7x-h9fj-p2c7
Problem Type: CWE-1395 - Dependency on Vulnerable Third-Party Component

Topic		Replies	Views
Missing JVM Metrics with Opentelemetry APM java	2	1707	October 17, 2022
Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 Security Announcements	7	352623	November 4, 2022
OpenTelemetry Agent cannot connect to Elastic APM in Fleet APM docker , java , server , open-telemetry	6	2282	December 21, 2023
Elasticsearch remote code execution CVE-2015-5377 Security Announcements	1	15042	July 6, 2017
Java APM agent for java 6 APM java	1	221	May 22, 2024

Elastic OTel Java 1.10.0 Security Update (ESA-2026-22 / GHSA-xw7x-h9fj-p2c7)

Related topics