Description
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
Published: 2026-01-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Connection Resource Exhaustion leading to Service Degradation
Action: Apply Patch
AI Analysis

Impact

NiceGUI is a Python‑based UI framework that supports Redis‑backed storage. From versions 2.10.0 to 3.4.1, an unauthenticated attacker can cause a Redis connection leak—a CWE‑772: Unreleased Resource flaw—by repeatedly opening and closing browser tabs on any NiceGUI application that uses Redis. The framework does not release connections, eventually exhausting the Redis pool. When the limit is reached, the application continues to accept new connections, logs errors, and the storage layer becomes non‑functional, resulting in degraded service quality or intermittent failures.

Affected Systems

The affected product is NiceGUI from the maker Zauberzeug. All releases between version 2.10.0 and 3.4.1 are vulnerable. Version 3.5.0 and later include the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity. The EPSS score of less than 1 % signals a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is any end‑user interacting with a vulnerable NiceGUI application – no authentication is required, and the attacker can trigger the leak simply by opening many tabs. Because the exposure is unprivileged and tied to client‑side navigation, a large‑scale impact would require an attacker to engineer a situation where many users or a single user open a vast number of tabs. Successful exploitation would consume all Redis connections, causing the application to log errors and degrade its storage functionality, potentially impacting availability.

Generated by OpenCVE AI on April 18, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NiceGUI 3.5.0 or later.
  • If immediate upgrade is not possible, restrict client tab usage or implement throttling to prevent rapid tab opening, thereby limiting the rate at which connections are requested.
  • Set a strict maximum connection limit on Redis and monitor connection usage via Redis metrics so that exhaustion can be detected before it affects the application.

Generated by OpenCVE AI on April 18, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mp55-g7pj-rvm2 NiceGUI has Redis connection leak via tab storage causes service degradation
History

Thu, 15 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Zauberzeug
Zauberzeug nicegui
Vendors & Products Zauberzeug
Zauberzeug nicegui

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
Description NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
Title NiceGUI has Redis connection leak via tab storage causes service degradation
Weaknesses CWE-772
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Zauberzeug Nicegui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T14:43:50.018Z

Reserved: 2026-01-05T16:44:16.369Z

Link: CVE-2026-21874

cve-icon Vulnrichment

Updated: 2026-01-08T14:43:38.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T10:15:55.820

Modified: 2026-01-15T17:50:01.530

Link: CVE-2026-21874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses