CVE-2026-45554: CWE-248: Uncaught Exception in zauberzeug nicegui
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0.
AI Analysis
Technical Summary
NiceGUI versions before 3.12.0 contain a vulnerability where two FastAPI routes serving static assets accept sub-path parameters that may resolve to directories. Requests resolving to directories cause an unhandled RuntimeError in Starlette's FileResponse, resulting in full tracebacks being logged by Uvicorn. These routes are unauthenticated and publicly reachable, allowing remote attackers to amplify log volume and consume server disk and log-pipeline capacity. The vulnerability is tracked as CVE-2026-45554 with a CVSS 3.1 score of 5.3 (medium severity). The issue has been patched in version 3.12.0.
Potential Impact
The vulnerability does not allow confidentiality or integrity compromise but can cause denial of service by exhausting disk space and log processing resources through log flooding. This can degrade server performance or availability due to resource exhaustion. There is no indication of code execution or data leakage. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade NiceGUI to version 3.12.0 or later, where this issue is patched. Since the vulnerability is fixed in the official release, applying this update fully mitigates the risk. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-45554: CWE-248: Uncaught Exception in zauberzeug nicegui
Description
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NiceGUI versions before 3.12.0 contain a vulnerability where two FastAPI routes serving static assets accept sub-path parameters that may resolve to directories. Requests resolving to directories cause an unhandled RuntimeError in Starlette's FileResponse, resulting in full tracebacks being logged by Uvicorn. These routes are unauthenticated and publicly reachable, allowing remote attackers to amplify log volume and consume server disk and log-pipeline capacity. The vulnerability is tracked as CVE-2026-45554 with a CVSS 3.1 score of 5.3 (medium severity). The issue has been patched in version 3.12.0.
Potential Impact
The vulnerability does not allow confidentiality or integrity compromise but can cause denial of service by exhausting disk space and log processing resources through log flooding. This can degrade server performance or availability due to resource exhaustion. There is no indication of code execution or data leakage. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade NiceGUI to version 3.12.0 or later, where this issue is patched. Since the vulnerability is fixed in the official release, applying this update fully mitigates the risk. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-12T17:48:47.880Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1efb66e29bf47b50db3529
Added to database: 6/2/2026, 3:48:54 PM
Last enriched: 6/2/2026, 4:05:08 PM
Last updated: 6/3/2026, 4:59:45 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.