CVE-2026-27736

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb968977068663119812	Patch
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9f-qqrx	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-25 17:25

Updated : 2026-03-05 18:26

NVD link : CVE-2026-27736

Mitre link : CVE-2026-27736

CVE.ORG link : CVE-2026-27736

JSON object : View

Products Affected

bigbluebutton

bigbluebutton

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

6.1 /10