CVE-2026-50271: dd-trace-py: unbounded baggage header parsing causes DoS

HIGH
Published July 17, 2026
CISO Take

Datadog's Python APM client fails to enforce its own DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES limits when parsing incoming W3C baggage headers, so a single unauthenticated HTTP request with an oversized or highly fragmented baggage value can drive unbounded CPU and memory consumption on the receiving service. This is a network-exploitable, no-auth, low-complexity flaw (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) against any internet-facing service that uses dd-trace-py with baggage propagation enabled — which commonly includes AI/LLM API gateways and agent backends instrumented for observability. There is no evidence of a public exploit, no Nuclei template, and it is not in CISA KEV, so this reads as opportunistic-DoS risk rather than an imminent campaign, but the trivial attack complexity means any exposed, unpatched service is a soft target. Upgrade dd-trace-py to 4.8.2 or later immediately on any public-facing AI service; if immediate patching isn't possible, disable baggage extraction or cap incoming header size at the reverse proxy/WAF as a stopgap, and monitor for abnormal CPU spikes correlated with oversized baggage headers.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High-severity availability-only vulnerability (CVSS 7.5, C:N/I:N/A:H). Exploitability is trivial — no authentication, no user interaction, low attack complexity, and the payload is a single crafted HTTP header. The absence of EPSS scoring, KEV listing, public exploit code, or a Nuclei template suggests it has not yet drawn mass-scanning attention, but the simplicity of the attack (comma-separated key-value flooding or one oversized value) means weaponization requires no special skill. Any organization running dd-trace-py <4.8.2 with baggage propagation enabled on an internet-reachable service should treat this as an urgent availability risk regardless of current exploitation telemetry.

How does the attack unfold?

Target identification
Attacker identifies an internet-facing AI service instrumented with dd-trace-py and W3C baggage propagation enabled.
AML.T0049
Malicious request
Attacker sends a single unauthenticated HTTP request with a baggage header containing thousands of key-value pairs or one very large value.
AML.T0034.001
Resource exhaustion
The vulnerable extraction path parses the header without enforcing configured size/count limits, consuming excessive CPU and memory.
Service outage
The instrumented AI service degrades or crashes, denying access to legitimate users and downstream consumers.
AML.T0029

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

1 step
  1. 1) Upgrade dd-trace-py to version 4.8.2 or later, where extract-path enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES is fixed. 2) If immediate upgrade isn't feasible, disable baggage propagation (DD_TRACE_PROPAGATION_STYLE without 'baggage') on internet-facing services until patched. 3) As a compensating control, enforce a request header size limit at the reverse proxy/WAF/load balancer (e.g., cap total header size or specifically the baggage header) in front of any AI/ML API gateway or inference endpoint. 4) Detection: monitor for abnormal CPU/memory spikes on traced services correlating with unusually large or high-cardinality baggage headers in access logs; alert on requests where the baggage header exceeds a few hundred bytes or contains dozens of comma-separated entries.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

NIST AI RMF
MANAGE 4.1 - Post-deployment monitoring and risk treatment for AI system resilience
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-50271?

Datadog's Python APM client fails to enforce its own DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES limits when parsing incoming W3C baggage headers, so a single unauthenticated HTTP request with an oversized or highly fragmented baggage value can drive unbounded CPU and memory consumption on the receiving service. This is a network-exploitable, no-auth, low-complexity flaw (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) against any internet-facing service that uses dd-trace-py with baggage propagation enabled — which commonly includes AI/LLM API gateways and agent backends instrumented for observability. There is no evidence of a public exploit, no Nuclei template, and it is not in CISA KEV, so this reads as opportunistic-DoS risk rather than an imminent campaign, but the trivial attack complexity means any exposed, unpatched service is a soft target. Upgrade dd-trace-py to 4.8.2 or later immediately on any public-facing AI service; if immediate patching isn't possible, disable baggage extraction or cap incoming header size at the reverse proxy/WAF as a stopgap, and monitor for abnormal CPU spikes correlated with oversized baggage headers.

Is CVE-2026-50271 actively exploited?

No confirmed active exploitation of CVE-2026-50271 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-50271?

1) Upgrade dd-trace-py to version 4.8.2 or later, where extract-path enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES is fixed. 2) If immediate upgrade isn't feasible, disable baggage propagation (DD_TRACE_PROPAGATION_STYLE without 'baggage') on internet-facing services until patched. 3) As a compensating control, enforce a request header size limit at the reverse proxy/WAF/load balancer (e.g., cap total header size or specifically the baggage header) in front of any AI/ML API gateway or inference endpoint. 4) Detection: monitor for abnormal CPU/memory spikes on traced services correlating with unusually large or high-cardinality baggage headers in access logs; alert on requests where the baggage header exceeds a few hundred bytes or contains dozens of comma-separated entries.

What systems are affected by CVE-2026-50271?

This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines, API gateways.

What is the CVSS score for CVE-2026-50271?

CVE-2026-50271 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

model servingagent frameworksRAG pipelinesAPI gateways

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034.001 Resource-Intensive Queries
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

NIST AI RMF: MANAGE 4.1
OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

Datadog dd-trace-py is the Datadog Python APM client. Prior to 4.8.2, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits on the extract path. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against HTTP services with baggage propagation enabled. This issue is fixed in version 4.8.2.

Exploitation Scenario

An attacker identifies a public-facing AI service (e.g., an LLM inference API, RAG query endpoint, or agent orchestration gateway) that is instrumented with Datadog APM via dd-trace-py and has W3C baggage propagation enabled. Without needing any credentials, the attacker sends a single HTTP request containing a baggage header packed with thousands of comma-separated key-value pairs (or one very large value). The vulnerable extraction code parses the entire header without enforcing configured size/count limits, consuming excessive CPU and memory on the request-handling process. Repeated or concurrent requests amplify the effect, degrading or crashing the AI service and denying access to legitimate users and downstream automated consumers.

Weaknesses (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

  • [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
  • [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities