EXECUTIVE SUMMARY:
CVE-2026-45553 with a CVSS score of 7.5 is a local file disclosure vulnerability in NiceGUI, specifically in the reStructuredText renderer, affecting versions of the pip package NiceGUI prior to 3.12.0. When a NiceGUI application passes attacker-controlled content to ui .restructured_text(), an attacker can utilize standard Docutils directives, such as include, csv-table with :file:, and raw with :file:, to read local files accessible to the NiceGUI server process. This capability is gained through the exposure of sensitive information to an unauthorized actor, allowing the attacker to disclose local files containing application configuration, database URLs, API tokens, session/storage secrets, OAuth or cloud credentials, Docker or Kubernetes mounted secrets, application source files, logs, and other process-readable files. The business impact and consequences of exploitation include confidentiality loss through arbitrary local file read, potentially exposing sensitive information that could be used for further attacks or compromise the security and integrity of the NiceGUI application. To exploit this vulnerability, an attacker requires access to a NiceGUI application that passes untrusted or user-controlled reStructuredText content to ui .restructured_text().[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45553 with a CVSS score of 7.5 is a local file disclosure vulnerability in NiceGUI, specifically in the reStructuredText renderer, affecting versions of the pip package NiceGUI prior to 3.12.0. When a NiceGUI application passes attacker-controlled content to ui .restructured_text(), an attacker can utilize standard Docutils directives, such as include, csv-table with :file:, and raw with :file:, to read local files accessible to the NiceGUI server process. This capability is gained through the exposure of sensitive information to an unauthorized actor, allowing the attacker to disclose local files containing application configuration, database URLs, API tokens, session/storage secrets, OAuth or cloud credentials, Docker or Kubernetes mounted secrets, application source files, logs, and other process-readable files. The business impact and consequences of exploitation include confidentiality loss through arbitrary local file read, potentially exposing sensitive information that could be used for further attacks or compromise the security and integrity of the NiceGUI application. To exploit this vulnerability, an attacker requires access to a NiceGUI application that passes untrusted or user-controlled reStructuredText content to ui .restructured_text().[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update nicegui to version 3.12.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jfrm-rx66-g536