CVE-2026-50273: Datadog .NET Tracer: DoS via unbounded baggage header

HIGH
Published July 17, 2026
CISO Take

Datadog's .NET Tracer parses the W3C 'baggage' HTTP header without enforcing the DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits during extraction, so a remote unauthenticated attacker can send one request with thousands of comma-separated key-value pairs, or a single oversized value, and drive unbounded CPU and memory consumption on any service with baggage propagation enabled. The CVSS 7.5 score reflects a purely availability-impacting bug (C:N/I:N/A:H) that requires no authentication, no user interaction, and low attack complexity — the only barrier to exploitation is knowing the service runs an unpatched dd-trace-dotnet with tracing enabled. There is no CISA KEV listing, no published EPSS score, and no public exploit or Nuclei template yet, so this looks pre-weaponization rather than actively exploited, but the fix is a one-line header and trivial to craft once details circulate. Any .NET-based AI service — inference gateways, agent orchestrators, API layers — fronted by this tracer should upgrade to dd-trace-dotnet 3.43.0, or in the interim explicitly cap DD_TRACE_BAGGAGE_MAX_ITEMS/DD_TRACE_BAGGAGE_MAX_BYTES and strip abnormally large baggage headers at the edge proxy/WAF.

Sources: NVD GitHub Advisory

What is the risk?

High-severity, low-effort DoS (CVSS 3.1: 7.5, AV:N/AC:L/PR:N/UI:N/A:H). Exploitability is trivial — a single crafted HTTP header, no authentication or AI/ML expertise required — but current exploitation likelihood is unconfirmed: no EPSS score published, not in CISA KEV, and no public PoC or Nuclei template exists yet. Impact is scoped to availability only (no confidentiality/integrity loss), but because baggage context propagates across service boundaries, the blast radius can extend beyond the first-hit service into every downstream .NET microservice sharing the same trace context.

How does the attack unfold?

Target identification
Attacker identifies a public-facing .NET service (e.g., an AI inference API or agent gateway) instrumented with an unpatched dd-trace-dotnet and baggage propagation enabled.
AML.T0049
Crafted header delivery
Attacker sends a single HTTP request containing a 'baggage' header with thousands of comma-separated key-value pairs or one very large value.
AML.T0034.001
Unbounded resource consumption
The tracer parses the header without enforcing max-items/max-bytes limits, consuming unbounded CPU and memory on the request thread.
Service degradation or outage
The affected service, and potentially downstream services sharing the propagated trace context, become unresponsive or crash, denying availability to legitimate users.
AML.T0029

What systems are affected?

Package Ecosystem Vulnerable Range Patched
dd-trace-dotnet No patch

Do you use dd-trace-dotnet? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

1 step
  1. Upgrade dd-trace-dotnet to 3.43.0 or later immediately on any internet-facing .NET service. Where immediate upgrade isn't feasible, explicitly set DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES as a stopgap and strip or truncate oversized 'baggage' headers at the reverse proxy/WAF/API gateway before they reach instrumented services. For detection, monitor ingress logs for anomalously large or high-cardinality baggage headers and correlate with CPU/memory spikes on APM-instrumented hosts; alert on request threads with unusually long parse times.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-50273?

Datadog's .NET Tracer parses the W3C 'baggage' HTTP header without enforcing the DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits during extraction, so a remote unauthenticated attacker can send one request with thousands of comma-separated key-value pairs, or a single oversized value, and drive unbounded CPU and memory consumption on any service with baggage propagation enabled. The CVSS 7.5 score reflects a purely availability-impacting bug (C:N/I:N/A:H) that requires no authentication, no user interaction, and low attack complexity — the only barrier to exploitation is knowing the service runs an unpatched dd-trace-dotnet with tracing enabled. There is no CISA KEV listing, no published EPSS score, and no public exploit or Nuclei template yet, so this looks pre-weaponization rather than actively exploited, but the fix is a one-line header and trivial to craft once details circulate. Any .NET-based AI service — inference gateways, agent orchestrators, API layers — fronted by this tracer should upgrade to dd-trace-dotnet 3.43.0, or in the interim explicitly cap DD_TRACE_BAGGAGE_MAX_ITEMS/DD_TRACE_BAGGAGE_MAX_BYTES and strip abnormally large baggage headers at the edge proxy/WAF.

Is CVE-2026-50273 actively exploited?

No confirmed active exploitation of CVE-2026-50273 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-50273?

Upgrade dd-trace-dotnet to 3.43.0 or later immediately on any internet-facing .NET service. Where immediate upgrade isn't feasible, explicitly set DD_TRACE_BAGGAGE_MAX_ITEMS and DD_TRACE_BAGGAGE_MAX_BYTES as a stopgap and strip or truncate oversized 'baggage' headers at the reverse proxy/WAF/API gateway before they reach instrumented services. For detection, monitor ingress logs for anomalously large or high-cardinality baggage headers and correlate with CPU/memory spikes on APM-instrumented hosts; alert on request threads with unusually long parse times.

What systems are affected by CVE-2026-50273?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, model serving.

What is the CVSS score for CVE-2026-50273?

CVE-2026-50273 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksmodel serving

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034.001 Resource-Intensive Queries
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES on extraction, allowing a remote unauthenticated attacker to send a baggage header with many comma-separated key-value pairs or one very large value and cause unbounded CPU and memory consumption in services with baggage propagation enabled. This issue is fixed in version 3.43.0.

Exploitation Scenario

An attacker sends a single HTTP request to a public-facing .NET AI inference API or agent gateway with a 'baggage' header containing thousands of comma-separated key=value pairs (or one very large value). The Datadog tracer's extraction logic parses the entire header without bounds checking, consuming unbounded CPU and memory on that request thread. Because baggage is designed to propagate through service-to-service calls, if the hit service forwards the request downstream to other Datadog-instrumented .NET microservices in an agent orchestration or model-serving pipeline, the resource exhaustion can amplify across hops, degrading or crashing multiple services from a single crafted request.

Weaknesses (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

  • [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
  • [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities