CVE-2026-50271: dd-trace-py: unbounded baggage header parsing causes DoS
HIGHDatadog's Python APM client fails to enforce its own DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES limits when parsing incoming W3C baggage headers, so a single unauthenticated HTTP request with an oversized or highly fragmented baggage value can drive unbounded CPU and memory consumption on the receiving service. This is a network-exploitable, no-auth, low-complexity flaw (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) against any internet-facing service that uses dd-trace-py with baggage propagation enabled — which commonly includes AI/LLM API gateways and agent backends instrumented for observability. There is no evidence of a public exploit, no Nuclei template, and it is not in CISA KEV, so this reads as opportunistic-DoS risk rather than an imminent campaign, but the trivial attack complexity means any exposed, unpatched service is a soft target. Upgrade dd-trace-py to 4.8.2 or later immediately on any public-facing AI service; if immediate patching isn't possible, disable baggage extraction or cap incoming header size at the reverse proxy/WAF as a stopgap, and monitor for abnormal CPU spikes correlated with oversized baggage headers.
What is the risk?
High-severity availability-only vulnerability (CVSS 7.5, C:N/I:N/A:H). Exploitability is trivial — no authentication, no user interaction, low attack complexity, and the payload is a single crafted HTTP header. The absence of EPSS scoring, KEV listing, public exploit code, or a Nuclei template suggests it has not yet drawn mass-scanning attention, but the simplicity of the attack (comma-separated key-value flooding or one oversized value) means weaponization requires no special skill. Any organization running dd-trace-py <4.8.2 with baggage propagation enabled on an internet-reachable service should treat this as an urgent availability risk regardless of current exploitation telemetry.
How does the attack unfold?
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade dd-trace-py to version 4.8.2 or later, where extract-path enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES is fixed. 2) If immediate upgrade isn't feasible, disable baggage propagation (DD_TRACE_PROPAGATION_STYLE without 'baggage') on internet-facing services until patched. 3) As a compensating control, enforce a request header size limit at the reverse proxy/WAF/load balancer (e.g., cap total header size or specifically the baggage header) in front of any AI/ML API gateway or inference endpoint. 4) Detection: monitor for abnormal CPU/memory spikes on traced services correlating with unusually large or high-cardinality baggage headers in access logs; alert on requests where the baggage header exceeds a few hundred bytes or contains dozens of comma-separated entries.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-50271?
Datadog's Python APM client fails to enforce its own DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES limits when parsing incoming W3C baggage headers, so a single unauthenticated HTTP request with an oversized or highly fragmented baggage value can drive unbounded CPU and memory consumption on the receiving service. This is a network-exploitable, no-auth, low-complexity flaw (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) against any internet-facing service that uses dd-trace-py with baggage propagation enabled — which commonly includes AI/LLM API gateways and agent backends instrumented for observability. There is no evidence of a public exploit, no Nuclei template, and it is not in CISA KEV, so this reads as opportunistic-DoS risk rather than an imminent campaign, but the trivial attack complexity means any exposed, unpatched service is a soft target. Upgrade dd-trace-py to 4.8.2 or later immediately on any public-facing AI service; if immediate patching isn't possible, disable baggage extraction or cap incoming header size at the reverse proxy/WAF as a stopgap, and monitor for abnormal CPU spikes correlated with oversized baggage headers.
Is CVE-2026-50271 actively exploited?
No confirmed active exploitation of CVE-2026-50271 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-50271?
1) Upgrade dd-trace-py to version 4.8.2 or later, where extract-path enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES is fixed. 2) If immediate upgrade isn't feasible, disable baggage propagation (DD_TRACE_PROPAGATION_STYLE without 'baggage') on internet-facing services until patched. 3) As a compensating control, enforce a request header size limit at the reverse proxy/WAF/load balancer (e.g., cap total header size or specifically the baggage header) in front of any AI/ML API gateway or inference endpoint. 4) Detection: monitor for abnormal CPU/memory spikes on traced services correlating with unusually large or high-cardinality baggage headers in access logs; alert on requests where the baggage header exceeds a few hundred bytes or contains dozens of comma-separated entries.
What systems are affected by CVE-2026-50271?
This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines, API gateways.
What is the CVSS score for CVE-2026-50271?
CVE-2026-50271 has a CVSS v3.1 base score of 7.5 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034.001 Resource-Intensive Queries AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Datadog dd-trace-py is the Datadog Python APM client. Prior to 4.8.2, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits on the extract path. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against HTTP services with baggage propagation enabled. This issue is fixed in version 4.8.2.
Exploitation Scenario
An attacker identifies a public-facing AI service (e.g., an LLM inference API, RAG query endpoint, or agent orchestration gateway) that is instrumented with Datadog APM via dd-trace-py and has W3C baggage propagation enabled. Without needing any credentials, the attacker sends a single HTTP request containing a baggage header packed with thousands of comma-separated key-value pairs (or one very large value). The vulnerable extraction code parses the entire header without enforcing configured size/count limits, consuming excessive CPU and memory on the request-handling process. Repeated or concurrent requests amplify the effect, degrading or crashing the AI service and denying access to legitimate users and downstream automated consumers.
Weaknesses (CWE)
CWE-770 Allocation of Resources Without Limits or Throttling
Primary
CWE-770 Allocation of Resources Without Limits or Throttling CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
- [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
- [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same attack type: DoS CVE-2023-25668 9.8 TensorFlow: unauthenticated RCE via heap buffer overflow
Same attack type: DoS CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same attack type: DoS CVE-2022-35939 9.8 TensorFlow: ScatterNd OOB write enables RCE/crash
Same attack type: DoS CVE-2022-41900 9.8 TensorFlow: heap OOB RCE in FractionalMaxPool op
Same attack type: DoS