CVE-2026-21874
Resource Exhaustion in NiceGUI Redis Storage Causes Service Degradation
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zauberzeug | nicegui | From 2.10.0 (inc) to 3.4.1 (inc) |
| zauberzeug | nicegui | 3.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-772 | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21874 is a vulnerability in NiceGUI versions 2.10.0 to 3.4.1 where an unauthenticated attacker can cause a Redis connection leak by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Each tab creates a Redis client connection that is never properly released because the tab identifier is cleared before the connection cleanup occurs. This leads to exhaustion of Redis connections, causing service degradation and broken persistent storage functionality, although the application itself remains running. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of persistent storage functionality in NiceGUI applications that use Redis-backed storage. When Redis connections are exhausted due to the leak, new Redis connections are refused, leading to failure of Redis-dependent features and loss of tab or user data. Although the NiceGUI application continues to run and accept new client connections, storage operations fail and errors are logged, resulting in degraded service and broken functionality. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the number of active Redis client connections and observing if the count increases abnormally when users open and close browser tabs on a NiceGUI application using Redis-backed storage. Logs may show repeated warnings and errors related to cleared tab_ids and failure to delete tab storage entries. You can use Redis commands such as `CLIENT LIST` to view connected clients and `INFO clients` to check the number of connected clients. An increasing number of connections approaching the Redis maxclients limit, along with application logs showing Redis connection errors, indicates the presence of this vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NiceGUI to version 3.5.0 or later, where the vulnerability has been fixed. The fix includes proper cleanup of Redis connections and listener tasks during tab or user storage cleanup, preventing connection leaks. Until the upgrade can be applied, monitoring Redis connections and restarting the Redis server or NiceGUI application may temporarily alleviate the issue, but upgrading is the recommended and effective solution. [1, 2]