Elastic OpenTelemetry Java Remote Code Execution Vulnerability
Summary
CERT-FR issued a security advisory warning of a critical remote code execution vulnerability (CVE-2026-33701) in Elastic OpenTelemetry Java affecting versions prior to 1.10.0. The vulnerability allows remote attackers to execute arbitrary code on affected systems. Organizations using the affected software should apply the vendor patch immediately.
What changed
CERT-FR published security advisory CERTFR-2026-AVI-0379 disclosing a critical vulnerability in Elastic OpenTelemetry Java (versions prior to 1.10.0). The vulnerability, tracked as CVE-2026-33701 and sourced from Elastic Security Bulletin 385700, enables remote arbitrary code execution without authentication. The risk level is classified as critical due to the potential for complete system compromise.
Organizations using OpenTelemetry Java in affected versions must upgrade to version 1.10.0 or later immediately. No specific compliance deadline is stated, but due to the critical severity of remote code execution vulnerabilities, immediate patching is strongly recommended. Users should refer to the Elastic Security Bulletin for patch availability and implement compensating controls if patching cannot be performed promptly.
What to do next
- Upgrade OpenTelemetry Java to version 1.10.0 or later using the Elastic Security Bulletin 385700
- Review systems for signs of compromise if the affected software was exposed to untrusted networks
- Implement network segmentation and input validation as compensating controls until patching is complete
Source document (simplified)
Premier Ministre S.G.D.S.N
Agence nationale
de la sécurité des
systèmes d'information
Paris, le 31 mars 2026 N° CERTFR-2026-AVI-0379 Affaire suivie par: CERT-FR
Avis du CERT-FR
Objet: Vulnérabilité dans Elastic OpenTelemetry Java
Gestion du document
| Référence | CERTFR-2026-AVI-0379 |
| Titre | Vulnérabilité dans Elastic OpenTelemetry Java |
| Date de la première version | 31 mars 2026 |
| Date de la dernière version | 31 mars 2026 |
| Source(s) | Bulletin de sécurité Elastic 385700 du 30 mars 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.
Risque
- Exécution de code arbitraire à distance
Systèmes affectés
- OpenTelemetry Java versions antérieurs à 1.10.0
Résumé
Une vulnérabilité a été découverte dans Elastic OpenTelemetry Java. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Documentation
- Bulletin de sécurité Elastic 385700 du 30 mars 2026
- https://discuss.elastic.co/t/elastic-otel-java-1-10-0-security-update-esa-2026-22-ghsa-xw7x-h9fj-p2c7/385700
- Référence CVE CVE-2026-33701
- https://www.cve.org/CVERecord?id=CVE-2026-33701
Gestion détaillée du document
- le 31 mars 2026 Version initiale
Named provisions
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CERT-FR Security Advisories publishes new changes.