5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21874

CVE-2026-21874: NiceGUI has Redis connection leak via tab storage causes service degradation

NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21874

CVE-2026-21874:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nicegui	pip	>= 2.10.0, <= 3.4.1	3.5.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Redis connection leak in NiceGUI, allowing an unauthenticated attacker to cause a denial of service by exhausting Redis connections. The root cause lies in the client disconnection logic. When a browser tab is closed, the nicegui.client.Client.handle_disconnect function is triggered. In vulnerable versions, this function prematurely nullifies the tab_id before the resource cleanup process can use it. Each tab using Redis storage has an associated RedisPersistentDict object, created via its __init__ method, which establishes connections to Redis. The cleanup process is supposed to call the RedisPersistentDict.close method to release these connections. However, because the tab_id is already gone, the system cannot find the correct RedisPersistentDict object to close. Consequently, the connections are never released. The patch addresses this by saving the tab_id before it's cleared and ensuring the close method on the corresponding storage object is called. The patch also includes a more robust implementation of RedisPersistentDict.close to ensure the background connection tasks are properly terminated.

Vulnerable functions

Client.handle_disconnect

nicegui/client.py

This function is called when a client disconnects. In the vulnerable version, it sets the client's `tab_id` to `None` before scheduling the cleanup tasks. This prevents the cleanup logic from identifying and closing the Redis connections associated with the disconnected tab, leading to a connection leak.

RedisPersistentDict.__init__

nicegui/persistence/redis_persistent_dict.py

This constructor is called for each new browser tab when Redis-backed storage is used. It creates new connections to Redis (a client and a pub/sub connection). Due to the bug in `Client.handle_disconnect`, the `close` method is never called on this object, causing these connections to be leaked.

RedisPersistentDict.close

nicegui/persistence/redis_persistent_dict.py

This method is responsible for closing the Redis connections. The vulnerability is twofold: it was not being called due to the logic error in `Client.handle_disconnect`, and its original implementation was flawed, failing to properly terminate the background listener task holding a connection. This would likely have resulted in a leak even if the method had been called.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21874: NiceGUI has Redis connection leak via tab storage causes service degradation

CVE-2026-21874:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

Technical Details

Basic Information

Basic Information

CVE-2026-21874: NiceGUI has Redis connection leak via tab storage causes service degradation

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI