Description

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.

INFO

Published Date :

2026-01-08T09:50:47.247Z

Last Modified :

2026-01-08T14:43:50.018Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-21874 vulnerability.

Vendors Products
Zauberzeug
  • Nicegui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-21874.

URL Resource
https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83 cve-icon cve-icon
https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 cve-icon cve-icon
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact