dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

Description

A vulnerability classified as critical has been found in DataDog dd-trace-java up to 1.60.2. Affected by this vulnerability is an unknown functionality of the component Environment Variable Handler. Performing a manipulation of the argument DD_INTEGRATION_RMI_ENABLED results in deserialization. This vulnerability was named CVE-2026-33728. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

Affected Products

Vendor	Product	Versions
datadog	dd-trace-java	>= 0.40.0, < 1.60.3

References

https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2(x_refsource_CONFIRM)
https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-33728 | DataDog dd-trace-java up to 1.60.2 Environment Variable DD_INTEGRATION_RMI_ENABLED deserialization (GHSA-579q-h82j-r5v2)

→ No new info (linked only)

CVSS 3.10.0 CRITICAL

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-502

Published3/27/2026

Last enriched3h agov2

Trending Score49

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, added CVE-2026-33728, and corrected exploit availability status.

descriptionseveritycvssEstimateactivelyExploitedpatchAvailable

via VulDB

v17h ago

Initial creation