CVE-2026-50273: Datadog .NET Tracer: DoS via unbounded baggage header
HIGHDatadog's .NET Tracer parses the W3C 'baggage' HTTP header without enforcing the DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits during extraction, so a remote unauthenticated attacker can send one request with thousands of comma-separated key-value pairs, or a single oversized value, and drive unbounded CPU and memory consumption on any service with baggage propagation enabled. The CVSS 7.5 score reflects a purely availability-impacting bug (C:N/I:N/A:H) that requires no authentication, no user interaction, and low attack complexity — the only barrier to exploitation is knowing the service runs an unpatched dd-trace-dotnet with tracing enabled. There is no CISA KEV listing, no published EPSS score, and no public exploit or Nuclei template yet, so this looks pre-weaponization rather than actively exploited, but the fix is a one-line header and trivial to craft once details circulate. Any .NET-based AI service — inference gateways, agent orchestrators, API layers — fronted by this tracer should upgrade to dd-trace-dotnet 3.43.0, or in the interim explicitly cap DD_TRACE_BAGGAGE_MAX_ITEMS/DD_TRACE_BAGGAGE_MAX_BYTES and strip abnormally large baggage headers at the edge proxy/WAF.
What is the risk?
High-severity, low-effort DoS (CVSS 3.1: 7.5, AV:N/AC:L/PR:N/UI:N/A:H). Exploitability is trivial — a single crafted HTTP header, no authentication or AI/ML expertise required — but current exploitation likelihood is unconfirmed: no EPSS score published, not in CISA KEV, and no public PoC or Nuclei template exists yet. Impact is scoped to availability only (no confidentiality/integrity loss), but because baggage context propagates across service boundaries, the blast radius can extend beyond the first-hit service into every downstream .NET microservice sharing the same trace context.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| dd-trace-dotnet | — | — | No patch |
Do you use dd-trace-dotnet? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade dd-trace-dotnet to 3.43.0 or later immediately on any internet-facing .NET service. Where immediate upgrade isn't feasible, explicitly set DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES as a stopgap and strip or truncate oversized 'baggage' headers at the reverse proxy/WAF/API gateway before they reach instrumented services. For detection, monitor ingress logs for anomalously large or high-cardinality baggage headers and correlate with CPU/memory spikes on APM-instrumented hosts; alert on request threads with unusually long parse times.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-50273?
Datadog's .NET Tracer parses the W3C 'baggage' HTTP header without enforcing the DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits during extraction, so a remote unauthenticated attacker can send one request with thousands of comma-separated key-value pairs, or a single oversized value, and drive unbounded CPU and memory consumption on any service with baggage propagation enabled. The CVSS 7.5 score reflects a purely availability-impacting bug (C:N/I:N/A:H) that requires no authentication, no user interaction, and low attack complexity — the only barrier to exploitation is knowing the service runs an unpatched dd-trace-dotnet with tracing enabled. There is no CISA KEV listing, no published EPSS score, and no public exploit or Nuclei template yet, so this looks pre-weaponization rather than actively exploited, but the fix is a one-line header and trivial to craft once details circulate. Any .NET-based AI service — inference gateways, agent orchestrators, API layers — fronted by this tracer should upgrade to dd-trace-dotnet 3.43.0, or in the interim explicitly cap DD_TRACE_BAGGAGE_MAX_ITEMS/DD_TRACE_BAGGAGE_MAX_BYTES and strip abnormally large baggage headers at the edge proxy/WAF.
Is CVE-2026-50273 actively exploited?
No confirmed active exploitation of CVE-2026-50273 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-50273?
Upgrade dd-trace-dotnet to 3.43.0 or later immediately on any internet-facing .NET service. Where immediate upgrade isn't feasible, explicitly set DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES as a stopgap and strip or truncate oversized 'baggage' headers at the reverse proxy/WAF/API gateway before they reach instrumented services. For detection, monitor ingress logs for anomalously large or high-cardinality baggage headers and correlate with CPU/memory spikes on APM-instrumented hosts; alert on request threads with unusually long parse times.
What systems are affected by CVE-2026-50273?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model serving.
What is the CVSS score for CVE-2026-50273?
CVE-2026-50273 has a CVSS v3.1 base score of 7.5 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034.001 Resource-Intensive Queries AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction, allowing a remote unauthenticated attacker to send a baggage header with many comma-separated key-value pairs or one very large value and cause unbounded CPU and memory consumption in services with baggage propagation enabled. This issue is fixed in version 3.43.0.
Exploitation Scenario
An attacker sends a single HTTP request to a public-facing .NET AI inference API or agent gateway with a 'baggage' header containing thousands of comma-separated key=value pairs (or one very large value). The Datadog tracer's extraction logic parses the entire header without bounds checking, consuming unbounded CPU and memory on that request thread. Because baggage is designed to propagate through service-to-service calls, if the hit service forwards the request downstream to other Datadog-instrumented .NET microservices in an agent orchestration or model-serving pipeline, the resource exhaustion can amplify across hops, degrading or crashing multiple services from a single crafted request.
Weaknesses (CWE)
CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
- [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
- [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
- github.com/DataDog/dd-trace-dotnet/commit/38092e0d41a36decbe649e048e48ae1b1607292f x_refsource_MISC
- github.com/DataDog/dd-trace-dotnet/pull/8555 x_refsource_MISC
- github.com/DataDog/dd-trace-dotnet/releases/tag/v3.43.0 x_refsource_MISC
- github.com/DataDog/dd-trace-dotnet/security/advisories/GHSA-38wr-vpc7-2mp4 x_refsource_CONFIRM
Timeline
Related Vulnerabilities
CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same attack type: DoS CVE-2023-25668 9.8 TensorFlow: unauthenticated RCE via heap buffer overflow
Same attack type: DoS CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same attack type: DoS CVE-2022-35939 9.8 TensorFlow: ScatterNd OOB write enables RCE/crash
Same attack type: DoS CVE-2022-41900 9.8 TensorFlow: heap OOB RCE in FractionalMaxPool op
Same attack type: DoS