CVE-2026-45554 - Vulnerability Details

- NiceGUI: Unauthenticated log-flood DoS via trailing slash on ESM and per-component resource routes

Description

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0.

Published: 2026-06-02

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

NiceGUI, a Python UI framework, has a flaw where two FastAPI routes that serve per-component static assets accept a sub-path that can refer to a directory. When such a request is made, an unhandled RuntimeError occurs inside Starlette’s FileResponse, causing Uvicorn to log a full exception traceback. This represents an unexpected error that can be triggered without authentication and can be used to amplify log output.

Affected Systems

All installations of NiceGUI version 3.11 and earlier, produced by zauberzeug, are affected. The patch that fixes the issue is included in release 3.12.0.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate risk. There is no EPSS score available and the issue is not listed in the CISA KEV catalog. A remote attacker can reach the vulnerable routes without authentication and send a large number of requests that generate massive log traces, potentially saturating disk or log‑pipeline resources. No additional prerequisites are required beyond network reachability to the NiceGUI server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zauberzeug

nicegui

affected

Version	Status	Constraints
`< 3.12.0`	affected	—

No data.

Vendor Product Confidence Versions

Zauberzeug

Nicegui

100%

Version	Status	Scheme	Platform
`[0,3.12.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NiceGUI to version 3.12.0 or later.
Restrict network access to the NiceGUI static asset routes if an upgrade cannot be performed immediately.
Configure log rotation and enforce disk space limits to mitigate the impact of potential log flooding.

Generated by OpenCVE AI on June 2, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pq7c-x8g4-rvp6	NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00343.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/zauberzeug/nicegui/releases/tag/v3.12.0
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6

History

Tue, 02 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 02 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zauberzeug Zauberzeug nicegui
Vendors & Products		Zauberzeug Zauberzeug nicegui

Tue, 02 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0.
Title		NiceGUI: Unauthenticated log-flood DoS via trailing slash on ESM and per-component resource routes
Weaknesses		CWE-248 CWE-770
References		https://github.com/zauberzeug/nicegui/releases/tag/v3.12.0 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Zauberzeug Nicegui

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-02T15:35:07.125Z

Updated: 2026-06-02T18:03:46.033Z

Reserved: 2026-05-12T17:48:47.880Z

Link: CVE-2026-45554

Vulnrichment

Updated: 2026-06-02T18:03:38.536Z

NVD

Status : Deferred

Published: 2026-06-02T16:16:41.977

Modified: 2026-06-02T17:15:44.040

Link: CVE-2026-45554

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T17:00:16Z

Weaknesses

CWE-248
Uncaught Exception
CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object