PatchSiren cyber security CVE debrief
CVE-2026-50271 DataDog CVE debrief
CVE-2026-50271 is a denial of service vulnerability in Datadog's dd-trace-py, a Python APM client. The issue allows for remote, unauthenticated attackers to cause unbounded CPU and memory consumption via specially crafted baggage HTTP headers. This vulnerability has a high impact on users of Datadog's dd-trace-py, especially those with exposure to untrusted HTTP traffic. Successful exploitation enables a remote denial of service against HTTP services with baggage propagation enabled. The issue is addressed in version 4.8.2. Users should prioritize patching to version 4.8.2 or later.
- Vendor
- DataDog
- Product
- dd-trace-py
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of Datadog's dd-trace-py, especially those with exposure to untrusted HTTP traffic, should prioritize patching to version 4.8.2 or later. Affected operators, platforms, vulnerability-management, and security teams should review and limit exposure of dd-trace-py to untrusted HTTP traffic. They should also monitor for unusual patterns in HTTP traffic and system resource utilization.
Technical summary
Prior to version 4.8.2, Datadog's dd-trace-py tracing libraries implementing W3C baggage propagation did not enforce limits on the number of items or bytes in incoming baggage HTTP headers. This oversight allows remote attackers to send requests with excessively large or numerous key-value pairs in the baggage header, leading to unbounded CPU and memory consumption. Successful exploitation enables a remote denial of service against HTTP services with baggage propagation enabled. The issue is addressed in version 4.8.2.
Defensive priority
High
Recommended defensive actions
- Upgrade dd-trace-py to version 4.8.2 or later
- Review and limit exposure of dd-trace-py to untrusted HTTP traffic
- Monitor for unusual patterns in HTTP traffic and system resource utilization
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD entry provide details on the vulnerability. Official references include commits, pull requests, and advisories from the Datadog GitHub repository. The issue allows for remote, unauthenticated attackers to cause unbounded CPU and memory consumption via specially crafted baggage HTTP headers. Users should verify affected scope, severity, and vendor guidance. Defenders should review compensating controls for exposed systems while remediation is scheduled and verified.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:07.070Z and has not been modified since then.