PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50271 DataDog CVE debrief

CVE-2026-50271 is a denial of service vulnerability in Datadog's dd-trace-py, a Python APM client. The issue allows for remote, unauthenticated attackers to cause unbounded CPU and memory consumption via specially crafted baggage HTTP headers. This vulnerability has a high impact on users of Datadog's dd-trace-py, especially those with exposure to untrusted HTTP traffic. Successful exploitation enables a remote denial of service against HTTP services with baggage propagation enabled. The issue is addressed in version 4.8.2. Users should prioritize patching to version 4.8.2 or later.

Vendor
DataDog
Product
dd-trace-py
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Datadog's dd-trace-py, especially those with exposure to untrusted HTTP traffic, should prioritize patching to version 4.8.2 or later. Affected operators, platforms, vulnerability-management, and security teams should review and limit exposure of dd-trace-py to untrusted HTTP traffic. They should also monitor for unusual patterns in HTTP traffic and system resource utilization.

Technical summary

Prior to version 4.8.2, Datadog's dd-trace-py tracing libraries implementing W3C baggage propagation did not enforce limits on the number of items or bytes in incoming baggage HTTP headers. This oversight allows remote attackers to send requests with excessively large or numerous key-value pairs in the baggage header, leading to unbounded CPU and memory consumption. Successful exploitation enables a remote denial of service against HTTP services with baggage propagation enabled. The issue is addressed in version 4.8.2.

Defensive priority

High

Recommended defensive actions

  • Upgrade dd-trace-py to version 4.8.2 or later
  • Review and limit exposure of dd-trace-py to untrusted HTTP traffic
  • Monitor for unusual patterns in HTTP traffic and system resource utilization
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD entry provide details on the vulnerability. Official references include commits, pull requests, and advisories from the Datadog GitHub repository. The issue allows for remote, unauthenticated attackers to cause unbounded CPU and memory consumption via specially crafted baggage HTTP headers. Users should verify affected scope, severity, and vendor guidance. Defenders should review compensating controls for exposed systems while remediation is scheduled and verified.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:07.070Z and has not been modified since then.