CVE-2026-45554 Overview
CVE-2026-45554 affects NiceGUI, a Python-based user interface framework maintained by Zauberzeug. Versions prior to 3.12.0 expose two FastAPI routes that serve per-component static assets and accept a sub-path parameter. When that parameter resolves to a directory instead of a file, Starlette's FileResponse raises an unhandled RuntimeError. Uvicorn then writes the full traceback to the server log on every request. Because the affected routes require no authentication, a remote attacker can repeatedly trigger the exception to inflate log volume and exhaust disk and log-pipeline capacity. The maintainers patched the issue in version 3.12.0.
Critical Impact
Unauthenticated remote attackers can amplify server log output and consume disk and log-pipeline capacity on any internet-reachable NiceGUI server.
Affected Products
- NiceGUI versions prior to 3.12.0
- Applications built on the NiceGUI framework that expose default per-component static asset routes
- Deployments using Uvicorn and Starlette as the underlying ASGI stack
Discovery Timeline
- 2026-06-02 - CVE-2026-45554 published to the National Vulnerability Database
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45554
Vulnerability Analysis
The weakness is classified as [CWE-248] Uncaught Exception. NiceGUI registers two FastAPI routes that serve static assets for individual components. Each route accepts a sub-path parameter intended to point at a specific file beneath the component asset directory. The handlers pass the resolved path directly to Starlette's FileResponse without validating that the target is a regular file. When a request resolves the sub-path to a directory, FileResponse raises a RuntimeError during response construction. The exception is not caught by the route handler, so Uvicorn logs the entire Python traceback at error level. Each malicious request therefore produces a multi-line stack trace in the server log.
Root Cause
The handlers do not verify the file type of the resolved path before instantiating FileResponse. They also lack a try/except wrapper to convert the resulting RuntimeError into a normal HTTP error response. As a result, an expected user-input failure mode is treated as an internal server fault and logged in full each time.
Attack Vector
The routes are reachable over the network without authentication. An attacker sends repeated HTTP requests to the vulnerable static asset endpoints with sub-path values that resolve to directories under the component asset tree. Each request consumes server CPU, generates a large traceback in the log files, and forwards that data through any downstream log pipeline such as a SIEM or object storage bucket. Sustained traffic can fill disk volumes, trigger log ingestion cost spikes, and crowd out legitimate events. No exploit code or public proof of concept is currently listed for this issue.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-pq7c-x8g4-rvp6 for vendor technical details.
Detection Methods for CVE-2026-45554
Indicators of Compromise
- Repeated RuntimeError tracebacks originating from Starlette's FileResponse in Uvicorn server logs
- High request rates from a single source against per-component static asset routes under /_nicegui/
- Sudden growth in log file size or log-pipeline ingestion volume tied to a NiceGUI host
- HTTP requests whose sub-path parameter resolves to a directory rather than a file
Detection Strategies
- Parse Uvicorn access and error logs for clusters of identical FileResponse tracebacks within short time windows
- Alert on disk usage growth rates on volumes hosting application logs for NiceGUI services
- Correlate spikes in 500-class responses from NiceGUI static asset routes with source IP frequency to identify abusive clients
Monitoring Recommendations
- Track log volume per NiceGUI service and set thresholds that trigger when daily output deviates from baseline
- Monitor SIEM ingestion costs and event counts attributable to NiceGUI sources
- Capture request rates to /_nicegui/ static asset endpoints and alert on unauthenticated bursts
How to Mitigate CVE-2026-45554
Immediate Actions Required
- Upgrade NiceGUI to version 3.12.0 or later on all affected hosts
- Inventory internet-exposed NiceGUI deployments and prioritize public-facing instances for patching
- Rotate or truncate logs that have already grown abnormally to recover disk space
Patch Information
The issue is fixed in NiceGUI 3.12.0. Release notes are available at the GitHub Release v3.12.0 page, and the coordinated disclosure record is in the GitHub Security Advisory GHSA-pq7c-x8g4-rvp6. Apply the upgrade through the standard package manager, for example pip install --upgrade nicegui.
Workarounds
- Place a reverse proxy or web application firewall in front of NiceGUI to rate-limit requests against per-component static asset routes
- Restrict network exposure of NiceGUI services to trusted networks until the upgrade is applied
- Configure log rotation with strict size limits and separate volumes so that log growth cannot fill the primary disk
# Configuration example
pip install --upgrade "nicegui>=3.12.0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
