{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21874", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T16:44:16.369Z", "datePublished": "2026-01-08T09:50:47.247Z", "dateUpdated": "2026-01-08T14:43:50.018Z"}, "containers": {"cna": {"title": "NiceGUI has Redis connection leak via tab storage causes service degradation", "problemTypes": [{"descriptions": [{"cweId": "CWE-772", "lang": "en", "description": "CWE-772: Missing Release of Resource after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2"}, {"name": "https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83"}, {"name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0"}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"version": ">= 2.10.0, < 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T09:50:47.247Z"}, "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0."}], "source": {"advisory": "GHSA-mp55-g7pj-rvm2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T14:43:46.386940Z", "id": "CVE-2026-21874", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:43:50.018Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T14:43:46.386940Z"}}}], "references": [{"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:43:38.996Z"}}], "cna": {"title": "NiceGUI has Redis connection leak via tab storage causes service degradation", "source": {"advisory": "GHSA-mp55-g7pj-rvm2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "zauberzeug", "product": "nicegui", "versions": [{"status": "affected", "version": ">= 2.10.0, < 3.5.0"}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2", "name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83", "name": "https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-772", "description": "CWE-772: Missing Release of Resource after Effective Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T09:50:47.247Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21874", "state": "PUBLISHED", "dateUpdated": "2026-01-08T14:43:50.018Z", "dateReserved": "2026-01-05T16:44:16.369Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T09:50:47.247Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FBD1A44-26D5-44F9-9D65-6654C756FB59", "versionEndExcluding": "3.5.0", "versionStartIncluding": "2.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0."}], "id": "CVE-2026-21874", "lastModified": "2026-01-15T17:50:01.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:55.820", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-772"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:44:57.053153+00:00", "value": {"mitigation_remediation": ["Upgrade to NiceGUI\u00a03.5.0 or later.", "If immediate upgrade is not possible, restrict client tab usage or implement throttling to prevent rapid tab opening, thereby limiting the rate at which connections are requested.", "Set a strict maximum connection limit on Redis and monitor connection usage via Redis metrics so that exhaustion can be detected before it affects the application."], "summary": {"action": "Apply Patch", "impact": "Connection Resource Exhaustion leading to Service Degradation"}, "threat_synthesis": {"affected_systems": "The affected product is NiceGUI from the maker Zauberzeug. All releases between version 2.10.0 and 3.4.1 are vulnerable. Version\u00a03.5.0 and later include the fix.", "description_and_impact": "NiceGUI is a Python\u2011based UI framework that supports Redis\u2011backed storage. From versions 2.10.0 to 3.4.1, an unauthenticated attacker can cause a Redis connection leak\u2014a CWE\u2011772: Unreleased Resource flaw\u2014by repeatedly opening and closing browser tabs on any NiceGUI application that uses Redis. The framework does not release connections, eventually exhausting the Redis pool. When the limit is reached, the application continues to accept new connections, logs errors, and the storage layer becomes non\u2011functional, resulting in degraded service quality or intermittent failures.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3, indicating moderate severity. The EPSS score of less than 1\u202f% signals a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is any end\u2011user interacting with a vulnerable NiceGUI application\u202f\u2013\u202fno authentication is required, and the attacker can trigger the leak simply by opening many tabs. Because the exposure is unprivileged and tied to client\u2011side navigation, a large\u2011scale impact would require an attacker to engineer a situation where many users or a single user open a vast number of tabs. Successful exploitation would consume all Redis connections, causing the application to log errors and degrade its storage functionality, potentially impacting availability."}}}}, "created": "2026-01-09T13:25:42.913892+00:00", "updated": "2026-04-18T16:45:05.232816+00:00", "vendors": ["zauberzeug", "zauberzeug$PRODUCT$nicegui"]}