CVE-2026-21874 is a resource management vulnerability classified under CWE-772 (Missing Release of Resource after Effective Lifetime) affecting the NiceGUI Python UI framework, specifically versions from 2.10.0 up to 3.4.1. NiceGUI applications that use Redis as a backend storage system are vulnerable to a connection exhaustion attack. An unauthenticated attacker can repeatedly open and close browser tabs connected to the NiceGUI application, causing Redis connections to be opened but never properly released due to a flaw in the resource lifecycle management within the framework. Over time, this leads to Redis hitting its maximum connection limit, resulting in degraded service performance and broken storage functionality. Despite these errors, the NiceGUI application continues to accept new connections, logging errors but remaining operational with impaired storage capabilities. This vulnerability does not allow for data leakage or modification but impacts the availability of the application’s storage features. The flaw is remotely exploitable without authentication or user interaction, increasing its risk profile. The issue was addressed and patched in NiceGUI version 3.5.0, which properly releases Redis connections after use, preventing exhaustion. No known exploits are currently reported in the wild, but the vulnerability poses a risk of denial-of-service conditions in affected deployments.

For European organizations, this vulnerability primarily threatens the availability of applications built with NiceGUI that rely on Redis-backed storage. Service degradation or partial denial-of-service could disrupt business operations, especially for web applications providing critical UI functionality. While confidentiality and integrity remain unaffected, the loss of storage functionality can impair user experience and operational workflows. Organizations in sectors such as finance, healthcare, and public services that use Python-based web frameworks and Redis for session or state management may face increased risk. The ease of exploitation without authentication means attackers can cause disruption with minimal effort, potentially leading to reputational damage and operational downtime. Given the widespread use of Python and Redis in Europe, the vulnerability could impact a broad range of enterprises, particularly those with modern web applications and microservice architectures.

European organizations should immediately upgrade all NiceGUI deployments to version 3.5.0 or later to ensure the resource leak is fixed. Until upgrades are complete, implement Redis connection limits and monitoring to detect unusual connection spikes indicative of exploitation attempts. Employ rate limiting or web application firewalls (WAFs) to restrict rapid repeated connections from the same client IPs, mitigating automated exploitation. Review application architecture to avoid unnecessary Redis connections per client session and consider connection pooling strategies to reduce resource exhaustion risk. Conduct thorough testing of NiceGUI applications under load to identify potential resource leaks. Maintain up-to-date dependency management and vulnerability scanning practices to quickly identify and remediate similar issues. Additionally, isolate Redis instances with network segmentation and enforce strict access controls to limit attack surface exposure.