CVE-2026-21874: NiceGUI has Redis connection leak via tab storage causes service degradation
An unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality.
References
- github.com/advisories/GHSA-mp55-g7pj-rvm2
- github.com/zauberzeug/nicegui
- github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83
- github.com/zauberzeug/nicegui/releases/tag/v3.5.0
- github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2
- nvd.nist.gov/vuln/detail/CVE-2026-21874
Code Behaviors & Features
Detect and mitigate CVE-2026-21874 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →