Skip to main content

BigBlueButton CVE-2026-41126

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-04-22 security-advisories@github.com
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 22, 2026 - 00:58 vuln.today
Analysis Generated
Apr 22, 2026 - 00:22 vuln.today
CVE Published
Apr 22, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available.

AnalysisAI

Open redirect vulnerability in BigBlueButton prior to version 3.0.24 allows unauthenticated remote attackers to redirect users to arbitrary external URLs via manipulation of the logoutURL parameter in the /api/join endpoint. The vulnerability requires user interaction (clicking a malicious link) but has low technical complexity and could facilitate phishing attacks by redirecting authenticated users away from the legitimate logout flow to attacker-controlled domains. Version 3.0.24 mitigates this by enforcing checksum validation and defaulting to the legitimate logoutURL when validation fails.

Technical ContextAI

BigBlueButton's /api/join API endpoint accepts a logoutURL parameter (CWE-601: URL Redirection to Untrusted Site) without proper validation or allowlisting. The API previously trusted user-supplied logoutURL values and redirected users to these URLs upon session termination, bypassing origin checks. The vulnerability resides in the URL handling logic of the join flow, where the application fails to validate that the redirect destination is within the trusted domain. Version 3.0.24 implements checksum-based request validation, ensuring that only legitimately-formed requests (with valid checksums) execute the original logoutURL; requests with incorrect checksums fall back to a safe default.

Affected ProductsAI

BigBlueButton versions prior to 3.0.24 are affected. This includes all 3.0.x releases up to and including 3.0.23, and likely earlier major versions (2.x, 1.x) if they share the same join API implementation, though the advisory focuses on the 3.0.x branch. The exact version range of earlier releases is not specified in the provided data. Organizations should consult the vendor advisory at https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8 for complete affected version information.

RemediationAI

Upgrade BigBlueButton to version 3.0.24 or later immediately. This release enforces checksum validation on join API requests; requests with invalid checksums default to the legitimate logoutURL, preventing open redirect exploitation. If immediate upgrade is not feasible, implement network-level controls: restrict outbound redirects from BigBlueButton application servers to a whitelist of known partner domains, or deploy a reverse proxy in front of BigBlueButton that validates logoutURL parameters against a whitelist before passing requests to the application. Additionally, configure web server logging to alert on join requests containing external logoutURL parameters, which may indicate attack attempts. These compensating controls have moderate overhead but require ongoing maintenance to whitelist legitimate partner logout endpoints. No configuration options are available to disable the vulnerable parameter in versions prior to 3.0.24; patching is the primary remediation.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-41126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy