CVE-2026-45553
File Read via Docutils in NiceGUI
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nicegui | nicegui | to 3.12.0 (exc) |
| zauberzeug | nicegui | to 3.12.0 (exc) |
| zauberzeug | nicegui | 3.11.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in NiceGUI allows attackers to read arbitrary local files accessible to the server process, potentially exposing sensitive information such as environment variables, database URLs, API tokens, or application source code.
This exposure of sensitive information can lead to violations of confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access.
Therefore, if an application passes untrusted input to the vulnerable function, it risks non-compliance with these regulations due to the potential unauthorized disclosure of sensitive data.
Can you explain this vulnerability to me?
The CVE-2026-45553 vulnerability affects the NiceGUI library, specifically versions 3.11.1 and earlier. It involves a local file disclosure issue in the ui.restructured_text() function, which renders reStructuredText server-side using Docutils without disabling file insertion directives.
Attackers can exploit this by passing malicious reStructuredText content containing directives like include, csv-table with :file:, or raw with :file: to read arbitrary files accessible to the NiceGUI server process.
This includes sensitive files such as .env, database URLs, API tokens, or application source code. The vulnerability requires the application to pass untrusted input to ui.restructured_text() to be exploitable.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server running the NiceGUI application.
- Attackers can read local files that the NiceGUI server process has access to.
- Sensitive data such as environment variables (.env), database connection URLs, API tokens, and application source code can be exposed.
Such exposure can compromise the confidentiality of your system and potentially lead to further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your NiceGUI application uses the ui.restructured_text() function with untrusted input that allows file insertion directives.
You can inspect your application code for usage of ui.restructured_text() and verify whether it passes attacker-controlled content.
Additionally, you can search for the presence of unsafe Docutils directives such as include, csv-table with :file:, or raw with :file: in the input processed by ui.restructured_text().
No specific network commands are provided in the resources, but code review and input validation checks are recommended.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NiceGUI to version 3.12.0 or later, where this vulnerability is patched.
If upgrading is not immediately possible, modify the prepare_content() function to disable unsafe Docutils features by setting file_insertion_enabled and raw_enabled to False.
Ensure that ui.restructured_text() is only called with trusted static strings and never with attacker-controlled input.