CVE-2026-21874
Unknown Unknown - Not Provided

Resource Exhaustion in NiceGUI Redis Storage Causes Service Degradation

Vulnerability report for CVE-2026-21874, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-07-06
AI Q&A
2026-01-08
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zauberzeug nicegui From 2.10.0 (inc) to 3.4.1 (inc)
zauberzeug nicegui 3.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-21874 is a vulnerability in NiceGUI versions 2.10.0 to 3.4.1 where an unauthenticated attacker can cause a Redis connection leak by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Each tab creates a Redis client connection that is never properly released because the tab identifier is cleared before the connection cleanup occurs. This leads to exhaustion of Redis connections, causing service degradation and broken persistent storage functionality, although the application itself remains running. [1]

Impact Analysis

This vulnerability can impact you by causing denial of persistent storage functionality in NiceGUI applications that use Redis-backed storage. When Redis connections are exhausted due to the leak, new Redis connections are refused, leading to failure of Redis-dependent features and loss of tab or user data. Although the NiceGUI application continues to run and accept new client connections, storage operations fail and errors are logged, resulting in degraded service and broken functionality. [1]

Detection Guidance

This vulnerability can be detected by monitoring the number of active Redis client connections and observing if the count increases abnormally when users open and close browser tabs on a NiceGUI application using Redis-backed storage. Logs may show repeated warnings and errors related to cleared tab_ids and failure to delete tab storage entries. You can use Redis commands such as `CLIENT LIST` to view connected clients and `INFO clients` to check the number of connected clients. An increasing number of connections approaching the Redis maxclients limit, along with application logs showing Redis connection errors, indicates the presence of this vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade NiceGUI to version 3.5.0 or later, where the vulnerability has been fixed. The fix includes proper cleanup of Redis connections and listener tasks during tab or user storage cleanup, preventing connection leaks. Until the upgrade can be applied, monitoring Redis connections and restarting the Redis server or NiceGUI application may temporarily alleviate the issue, but upgrading is the recommended and effective solution. [1, 2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart