CVE-2026-33332 is a vulnerability classified under CWE-20 (Improper Input Validation) and CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the NiceGUI Python UI framework before version 3.9.0. The flaw exists in the media streaming functionality exposed via app.add_media_file() and app.add_media_files() routes, which accept a user-controlled query parameter that dictates how media files are read and streamed. This parameter is passed directly to the range-response implementation without proper validation or limits, enabling an attacker to bypass the intended chunked streaming mechanism. Instead of streaming files in manageable chunks, the server is forced to load entire media files into memory at once. When large media files are targeted, especially under concurrent request conditions, this can lead to excessive memory consumption, causing degraded server performance or denial of service due to resource exhaustion. The vulnerability requires no authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the vulnerability has a CVSS 4.0 base score of 6.9, reflecting a medium severity level. The issue was addressed and patched in NiceGUI version 3.9.0, which implements proper validation and resource management to prevent this memory exhaustion attack vector.

The primary impact of CVE-2026-33332 is denial of service through resource exhaustion. Attackers can exploit the improper input validation to force the server to load entire large media files into memory simultaneously, potentially overwhelming system resources. This can degrade application performance, cause crashes, or render the service unavailable to legitimate users. Organizations relying on NiceGUI for media streaming in their applications may face service disruptions, impacting user experience and operational continuity. The vulnerability does not directly expose data confidentiality or integrity but can indirectly affect availability, which is critical for business operations. High concurrency scenarios exacerbate the risk, making large-scale or automated attacks more damaging. Since no authentication is required, any remote attacker with network access to the affected routes can exploit this vulnerability, increasing the attack surface. This can be particularly problematic for public-facing applications or services with large media content.

To mitigate CVE-2026-33332, organizations should upgrade NiceGUI to version 3.9.0 or later, where the vulnerability is patched with proper input validation and resource management. Until upgrading, implement strict network-level access controls to restrict access to the media streaming routes to trusted users or internal networks only. Employ web application firewalls (WAFs) to detect and block abnormal query parameters or unusually large range requests targeting media endpoints. Monitor server memory usage and set resource limits or quotas for media streaming processes to prevent resource exhaustion. Consider implementing rate limiting or concurrency controls on media file requests to reduce the risk of simultaneous large file loads. Review application logs for suspicious access patterns to media routes and establish alerting for potential exploitation attempts. Finally, conduct security testing and code reviews focusing on input validation and resource allocation in custom extensions or integrations with NiceGUI.