CVE-2026-21874: CWE-772: Missing Release of Resource after Effective Lifetime in zauberzeug nicegui
CVE-2026-21874 is a medium-severity vulnerability in the NiceGUI Python UI framework versions 2. 10. 0 through 3. 4. 1. It allows unauthenticated attackers to exhaust Redis connections by repeatedly opening and closing browser tabs on applications using Redis-backed storage. The vulnerability arises because Redis connections are not properly released, leading to service degradation when the Redis connection limit is reached. Although the NiceGUI app remains operational, storage functionality breaks and errors are logged. This issue does not impact confidentiality or integrity but affects availability. The vulnerability has been patched in version 3.
AI Analysis
Technical Summary
CVE-2026-21874 is a resource management vulnerability classified under CWE-772 (Missing Release of Resource after Effective Lifetime) affecting the NiceGUI Python-based UI framework. Specifically, versions from 2.10.0 up to 3.4.1 improperly manage Redis connections when Redis is used as the backend storage. An unauthenticated attacker can exploit this by repeatedly opening and closing browser tabs on any NiceGUI application that uses Redis-backed storage. Each tab opening initiates a Redis connection that is never released upon tab closure, causing a gradual exhaustion of available Redis connections. Once the Redis server hits its maximum connection limit, the service degrades: NiceGUI continues to accept new client connections, but storage operations fail and errors are logged. This leads to a denial-of-service-like condition affecting application availability, though confidentiality and integrity remain intact. The vulnerability requires no authentication or user interaction, making it relatively easy to exploit remotely. The issue was addressed and patched in NiceGUI version 3.5.0, which properly releases Redis connections after use. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability primarily threatens the availability of applications built with NiceGUI that rely on Redis-backed storage. Service degradation or partial denial of service can disrupt business operations, especially for customer-facing or internal applications critical to workflows. Organizations using affected versions risk operational interruptions if attackers or even inadvertent user behavior triggers connection exhaustion. While confidentiality and data integrity are not directly impacted, the loss of storage functionality can lead to data loss or inconsistent application states. The impact is more pronounced for organizations with high traffic web applications or those that cannot quickly patch or restart Redis services. Additionally, sectors with stringent uptime requirements, such as finance, healthcare, and public services, may face compliance and reputational risks due to service unavailability.
Mitigation Recommendations
European organizations should immediately upgrade NiceGUI to version 3.5.0 or later, where the vulnerability is patched. Until upgrading is possible, implement monitoring on Redis connection counts and set alerts for abnormal connection usage patterns. Configure Redis to limit maximum connections per client or implement connection pooling to mitigate exhaustion risks. Employ web application firewalls or rate limiting to restrict rapid tab opening/closing behaviors from single IP addresses. Consider isolating Redis instances used by NiceGUI applications to prevent broader impact on other services. Regularly audit application dependencies and maintain an inventory of NiceGUI versions in use. Finally, educate developers and administrators about proper resource management and encourage timely patching of third-party components.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain
CVE-2026-21874: CWE-772: Missing Release of Resource after Effective Lifetime in zauberzeug nicegui
Description
CVE-2026-21874 is a medium-severity vulnerability in the NiceGUI Python UI framework versions 2. 10. 0 through 3. 4. 1. It allows unauthenticated attackers to exhaust Redis connections by repeatedly opening and closing browser tabs on applications using Redis-backed storage. The vulnerability arises because Redis connections are not properly released, leading to service degradation when the Redis connection limit is reached. Although the NiceGUI app remains operational, storage functionality breaks and errors are logged. This issue does not impact confidentiality or integrity but affects availability. The vulnerability has been patched in version 3.
AI-Powered Analysis
Technical Analysis
CVE-2026-21874 is a resource management vulnerability classified under CWE-772 (Missing Release of Resource after Effective Lifetime) affecting the NiceGUI Python-based UI framework. Specifically, versions from 2.10.0 up to 3.4.1 improperly manage Redis connections when Redis is used as the backend storage. An unauthenticated attacker can exploit this by repeatedly opening and closing browser tabs on any NiceGUI application that uses Redis-backed storage. Each tab opening initiates a Redis connection that is never released upon tab closure, causing a gradual exhaustion of available Redis connections. Once the Redis server hits its maximum connection limit, the service degrades: NiceGUI continues to accept new client connections, but storage operations fail and errors are logged. This leads to a denial-of-service-like condition affecting application availability, though confidentiality and integrity remain intact. The vulnerability requires no authentication or user interaction, making it relatively easy to exploit remotely. The issue was addressed and patched in NiceGUI version 3.5.0, which properly releases Redis connections after use. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability primarily threatens the availability of applications built with NiceGUI that rely on Redis-backed storage. Service degradation or partial denial of service can disrupt business operations, especially for customer-facing or internal applications critical to workflows. Organizations using affected versions risk operational interruptions if attackers or even inadvertent user behavior triggers connection exhaustion. While confidentiality and data integrity are not directly impacted, the loss of storage functionality can lead to data loss or inconsistent application states. The impact is more pronounced for organizations with high traffic web applications or those that cannot quickly patch or restart Redis services. Additionally, sectors with stringent uptime requirements, such as finance, healthcare, and public services, may face compliance and reputational risks due to service unavailability.
Mitigation Recommendations
European organizations should immediately upgrade NiceGUI to version 3.5.0 or later, where the vulnerability is patched. Until upgrading is possible, implement monitoring on Redis connection counts and set alerts for abnormal connection usage patterns. Configure Redis to limit maximum connections per client or implement connection pooling to mitigate exhaustion risks. Employ web application firewalls or rate limiting to restrict rapid tab opening/closing behaviors from single IP addresses. Consider isolating Redis instances used by NiceGUI applications to prevent broader impact on other services. Regularly audit application dependencies and maintain an inventory of NiceGUI versions in use. Finally, educate developers and administrators about proper resource management and encourage timely patching of third-party components.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-05T16:44:16.369Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695f815bc901b06321d3fb08
Added to database: 1/8/2026, 10:05:15 AM
Last enriched: 1/15/2026, 12:42:56 PM
Last updated: 2/7/2026, 10:43:58 AM
Views: 119
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighCVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumCVE-2026-1643: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ariagle MP-Ukagaka
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.