CVE-2026-45554: NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

May 18, 2026 (updated June 9, 2026)

Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette’s FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.

References

github.com/advisories/GHSA-pq7c-x8g4-rvp6
github.com/zauberzeug/nicegui/releases/tag/v3.12.0
github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6
nvd.nist.gov/vuln/detail/CVE-2026-45554

Code Behaviors & Features

Detect and mitigate CVE-2026-45554 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →