CVE-2026-45554: NiceGUI Static Asset Route Log Flooding Vulnerability
NiceGUI, a Python UI framework built on FastAPI, contains a vulnerability in how it handles requests for static assets. Two specific routes can be manipulated to point to directories instead of files. When this happens, the framework throws an error that gets logged with full technical details—and these routes don't require authentication. An attacker can repeatedly trigger these errors to flood the server logs, potentially filling up disk space or overwhelming logging infrastructure. This affects NiceGUI versions before 3.12.0 and has been fixed in version 3.12.0 and later.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-248, CWE-770
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in NiceGUI's per-component static asset serving routes. These FastAPI endpoints accept a sub-path parameter without sufficient validation to ensure the resolved path points to a file rather than a directory. When a directory is requested, Starlette's FileResponse handler raises an unhandled RuntimeError. Because Uvicorn logs this exception with a full traceback and the routes are unauthenticated, an attacker can craft repeated requests that reliably generate large log entries. The issue is categorized under CWE-248 (Uncaught Exception) and CWE-770 (Allocation of Resources Without Limits or Throttling), indicating both improper error handling and lack of rate limiting on the vulnerable endpoints.
Business impact
Organizations running publicly accessible NiceGUI applications face a denial-of-service risk targeting logging and storage infrastructure rather than application availability directly. An attacker can exhaust disk space reserved for logs, potentially triggering cascading failures in monitoring systems, log aggregation pipelines, or the application itself if it shares storage. In multi-tenant or SaaS environments, this could degrade service visibility and incident response capabilities. The CVSS score of 5.3 (Medium) reflects availability impact without affecting confidentiality or integrity—the attack does not expose data or modify functionality, but degrades operational observability.
Affected systems
NiceGUI versions prior to 3.12.0 are affected. The vulnerability is specific to the framework's static asset serving mechanism and impacts any deployment where NiceGUI is exposed to untrusted network traffic. Self-hosted instances, cloud deployments, and containerized applications running older NiceGUI versions are in scope. Version 3.12.0 and later contain the fix.
Exploitability
Exploitability is high from a practical standpoint. The attack requires no authentication, no special privileges, and no user interaction. An attacker needs only network access to the NiceGUI server and can trigger the vulnerability with simple HTTP requests to the known static asset routes, specifying directory paths instead of files. This can be automated easily. However, the impact is limited to log flooding rather than code execution or data breach, which keeps the severity at Medium. The unauthenticated, network-accessible nature and low operational complexity mean any adversary with basic HTTP knowledge can execute this attack.
Remediation
Upgrade NiceGUI to version 3.12.0 or later. The patch addresses the root cause by validating that resolved paths point to files, not directories, before attempting to serve them. For organizations unable to upgrade immediately, consider network-level mitigations: restrict access to NiceGUI to trusted networks, implement rate limiting on the static asset routes (if possible via reverse proxy), or monitor for sudden spikes in error logs from these endpoints. However, patching is the definitive solution.
Patch guidance
Verify your current NiceGUI version using pip or your package manager (e.g., `pip show nicegui`). If running a version prior to 3.12.0, update immediately with `pip install --upgrade nicegui` or equivalent for your deployment method. For containerized deployments, rebuild images with NiceGUI 3.12.0 or later and redeploy. Test the upgrade in a non-production environment first to ensure compatibility with your application. Consult the NiceGUI release notes for version 3.12.0 to confirm no breaking changes affect your codebase.
Detection guidance
Monitor application and web server logs for patterns of 500-level errors or RuntimeExceptions originating from NiceGUI's static asset routes, particularly those mentioning FileResponse or directory resolution. Look for repeated requests to static asset endpoints with paths that do not correspond to actual files (e.g., paths ending in `/` or containing directory traversal-like sequences). Alert on sudden increases in log volume or disk usage growth correlated with these error patterns. If using a centralized logging system, create detection rules for RuntimeError exceptions from Uvicorn/Starlette with 'directory' or path-related keywords. Baseline normal static asset request patterns and flag anomalies.
Why prioritize this
Prioritize this vulnerability for patching because the attack surface is unauthenticated and network-accessible, and can be triggered trivially at scale. While the direct impact (log flooding, disk exhaustion) is contained to availability rather than confidentiality, a degraded or offline logging system can mask other security incidents. In environments where logging infrastructure is shared or constrained, or where alert fatigue is already a concern, this vulnerability poses a meaningful operational risk. Medium severity with high exploitability warrants prompt action, especially in production environments.
Risk score, explained
The CVSS 3.1 score of 5.3 (Medium) reflects: Attack Vector = Network (exploitable remotely), Attack Complexity = Low (no special conditions needed), Privileges Required = None (no authentication), User Interaction = None (fully automated), Scope = Unchanged (only the vulnerable component affected), Availability Impact = Low (log flooding and disk exhaustion are gradual, not instant service failure), Confidentiality = None, Integrity = None. The score appropriately captures that this is a denial-of-service vector with accessibility and simplicity but limited immediate impact compared to critical vulnerabilities. It does not exploit memory safety issues, code execution, or authentication bypass.
Frequently asked questions
Does this vulnerability allow an attacker to read or modify my NiceGUI application's data or code?
No. This vulnerability does not affect confidentiality or integrity. It does not enable data exfiltration, authentication bypass, or code execution. The attack is limited to resource exhaustion via log flooding and does not compromise the security of the application or its data.
Do I need to restart my NiceGUI application after upgrading to version 3.12.0?
Yes. After upgrading the NiceGUI package, you should restart the application to load the patched code. For containerized deployments, rebuild and redeploy the container image. Rolling updates or process restarts depending on your infrastructure are recommended to minimize downtime.
Can I mitigate this vulnerability without upgrading if my NiceGUI server is behind a firewall?
Network segmentation reduces risk by limiting the attacker surface to authorized users or networks. However, if your NiceGUI server is accessible to any untrusted network—including the internet, a corporate network with many users, or a partner network—the vulnerability remains exploitable by those with access. Patching is the reliable fix; network controls are a supplement, not a replacement.
What should I do if I see suspicious error patterns in my logs before I can patch?
Document the error pattern (timestamps, HTTP endpoints, requesting IPs if available) for incident analysis. Increase monitoring frequency to detect potential attacks. Implement temporary rate limiting or IP-based access controls if your infrastructure supports it. Plan and execute the upgrade as soon as possible, and consider rolling back to a known-good state if you detect active exploitation causing significant log volume.
This analysis is provided for informational and educational purposes. Readers are responsible for verifying vulnerability details and patch availability with official vendor documentation and release notes. SEC.co does not guarantee accuracy of third-party data and recommends independent testing before deploying patches to production systems. Use of this information to attack systems you do not own or have authorization to test is illegal. Always follow your organization's change management and security policies when applying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-44545MEDIUMDaphne WebSocket Denial of Service via Unlimited Payload Size
- CVE-2026-45023MEDIUMAutoGPT Credit Bypass in Block Execution API
- CVE-2026-45078MEDIUMSynapse Denial-of-Service via CPU Exhaustion (v1.152.1+)
- CVE-2026-45292MEDIUMOpenTelemetry Java Baggage DoS Vulnerability – Patch & Detection Guide