CVE-2026-33332
Published: 24 March 2026
Summary
CVE-2026-33332 is a high-severity Improper Input Validation (CWE-20) vulnerability in Zauberzeug Nicegui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper input validation of the user-controlled query parameter in media routes, preventing bypass of chunked streaming and full file loads into memory.
Protects against denial-of-service from excessive memory consumption triggered by concurrent manipulated requests for large media files.
Enforces resource allocation limits and prioritization to mitigate memory exhaustion from unthrottled file loading during streaming.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables direct exploitation of a public-facing Python web application to trigger uncontrolled memory allocation and resource exhaustion via crafted requests, mapping precisely to application/system exploitation for endpoint DoS.
NVD Description
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing…
more
an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
Deeper analysisAI
CVE-2026-33332 affects NiceGUI, a Python-based UI framework, in versions prior to 3.9.0. The vulnerability resides in the app.add_media_file() and app.add_media_files() functions, which expose media routes that accept a user-controlled query parameter. This parameter directly influences file reading during streaming and is passed without validation to the range-response implementation. As a result, attackers can bypass chunked streaming, forcing the server to load entire files into memory simultaneously, which can cause excessive memory consumption, performance degradation, or denial of service when handling large media files.
The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction. Remote attackers can exploit it by crafting requests to the affected media routes with a manipulated query parameter, particularly effective against servers serving large files under concurrent load. Successful exploitation leads to resource exhaustion and denial of service without impacting confidentiality or integrity.
The vulnerability has been addressed in NiceGUI version 3.9.0, as detailed in the project's security advisory (GHSA-w5g8-5849-vj76), release notes, and the patching commit. Security practitioners should upgrade to 3.9.0 or later and review deployments using these media functions, associating the flaw with CWE-20 (Improper Input Validation) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Details
- CWE(s)