CVE-2026-21874
Unknown Unknown - Not Provided
Resource Exhaustion in NiceGUI Redis Storage Causes Service Degradation

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21874
EUVD
EUVD-2026-1474
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zauberzeug nicegui From 2.10.0 (inc) to 3.4.1 (inc)
zauberzeug nicegui 3.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21874 is a vulnerability in NiceGUI versions 2.10.0 to 3.4.1 where an unauthenticated attacker can cause a Redis connection leak by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Each tab creates a Redis client connection that is never properly released because the tab identifier is cleared before the connection cleanup occurs. This leads to exhaustion of Redis connections, causing service degradation and broken persistent storage functionality, although the application itself remains running. [1]

Impact Analysis

This vulnerability can impact you by causing denial of persistent storage functionality in NiceGUI applications that use Redis-backed storage. When Redis connections are exhausted due to the leak, new Redis connections are refused, leading to failure of Redis-dependent features and loss of tab or user data. Although the NiceGUI application continues to run and accept new client connections, storage operations fail and errors are logged, resulting in degraded service and broken functionality. [1]

Detection Guidance

This vulnerability can be detected by monitoring the number of active Redis client connections and observing if the count increases abnormally when users open and close browser tabs on a NiceGUI application using Redis-backed storage. Logs may show repeated warnings and errors related to cleared tab_ids and failure to delete tab storage entries. You can use Redis commands such as `CLIENT LIST` to view connected clients and `INFO clients` to check the number of connected clients. An increasing number of connections approaching the Redis maxclients limit, along with application logs showing Redis connection errors, indicates the presence of this vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade NiceGUI to version 3.5.0 or later, where the vulnerability has been fixed. The fix includes proper cleanup of Redis connections and listener tasks during tab or user storage cleanup, preventing connection leaks. Until the upgrade can be applied, monitoring Redis connections and restarting the Redis server or NiceGUI application may temporarily alleviate the issue, but upgrading is the recommended and effective solution. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart