CVE-2026-33728: dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:

1. dd-trace-java is attached as a Java agent (-javaagent) on Java 16 or earlier
2. A JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable
3. A gadget-chain-compatible library is present on the classpath