CVE-2026-50271
Received Received - Intake

Denial of Service in Datadog dd-trace-py via W3C Baggage Header

Vulnerability report for CVE-2026-50271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Datadog dd-trace-py is the Datadog Python APM client. Prior to 4.8.2, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES limits on the extract path. A remote, unauthenticated attacker can send a request whose baggage header contains an arbitrarily large number of comma-separated key-value pairs or a single very large value, causing unbounded CPU and memory consumption and enabling a remote denial of service against HTTP services with baggage propagation enabled. This issue is fixed in version 4.8.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
datadog dd-trace-py 4.8.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Datadog dd-trace-py versions before 4.8.2 have a flaw in W3C baggage header parsing. The library does not enforce size limits on incoming baggage HTTP headers, allowing attackers to send requests with an excessive number of key-value pairs or oversized values. This causes high CPU and memory usage, leading to a denial of service.

Detection Guidance

To detect this vulnerability, check if your Datadog dd-trace-py version is below 4.8.2. Run: pip show dd-trace or pip list | grep dd-trace. If the version is older, update immediately. Monitor for high CPU or memory usage in HTTP services using tools like top, htop, or ps.

Impact Analysis

If you use Datadog tracing in your Python applications, an attacker could exploit this to crash your HTTP services by sending specially crafted baggage headers. This disrupts service availability and may cause downtime for your applications.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR and HIPAA by enabling denial of service attacks against HTTP services handling sensitive data. Unbounded CPU and memory consumption may disrupt services processing personal or health information, potentially violating availability requirements under these regulations.

Mitigation Strategies

Update the Datadog dd-trace-py library to version 4.8.2 or later to address the vulnerability. Disable baggage propagation if not required by setting DD_TRACE_BAGGAGE_ENABLED=false.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart