Executive Summary

The CVE-2026-45553 vulnerability affects the NiceGUI library, specifically versions 3.11.1 and earlier. It involves a local file disclosure issue in the ui.restructured_text() function, which renders reStructuredText server-side using Docutils without disabling file insertion directives.

Attackers can exploit this by passing malicious reStructuredText content containing directives like include, csv-table with :file:, or raw with :file: to read arbitrary files accessible to the NiceGUI server process.

This includes sensitive files such as .env, database URLs, API tokens, or application source code. The vulnerability requires the application to pass untrusted input to ui.restructured_text() to be exploitable.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in NiceGUI allows attackers to read arbitrary local files accessible to the server process, potentially exposing sensitive information such as environment variables, database URLs, API tokens, or application source code.

This exposure of sensitive information can lead to violations of confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access.

Therefore, if an application passes untrusted input to the vulnerable function, it risks non-compliance with these regulations due to the potential unauthorized disclosure of sensitive data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server running the NiceGUI application.

• Attackers can read local files that the NiceGUI server process has access to.
• Sensitive data such as environment variables (.env), database connection URLs, API tokens, and application source code can be exposed.

Such exposure can compromise the confidentiality of your system and potentially lead to further attacks.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if your NiceGUI application uses the ui.restructured_text() function with untrusted input that allows file insertion directives.

You can inspect your application code for usage of ui.restructured_text() and verify whether it passes attacker-controlled content.

Additionally, you can search for the presence of unsafe Docutils directives such as include, csv-table with :file:, or raw with :file: in the input processed by ui.restructured_text().

No specific network commands are provided in the resources, but code review and input validation checks are recommended.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade NiceGUI to version 3.12.0 or later, where this vulnerability is patched.

If upgrading is not immediately possible, modify the prepare_content() function to disable unsafe Docutils features by setting file_insertion_enabled and raw_enabled to False.

Ensure that ui.restructured_text() is only called with trusted static strings and never with attacker-controlled input.

Useful 0 Not Useful 0