CVE-2026-21874
MEDIUMNiceGUI 2.10.0-3.4.1 - Unauthenticated Resource Exhaustion via Redis Connection Leak
Title source: llmDescription
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2
Patch x_refsource_misc
https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83
Release Notes x_refsource_misc
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0
Scores
CVSS v3
5.3
EPSS
0.0051
EPSS Percentile
39.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-772
Status
published
Products (2)
pypi/nicegui
2.10.0 - 3.5.0PyPI
zauberzeug/nicegui
2.10.0 - 3.5.0
Published
Jan 08, 2026
Tracked Since
Feb 18, 2026