BigBlueButton CVE-2026-41126
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available.
AnalysisAI
Open redirect vulnerability in BigBlueButton prior to version 3.0.24 allows unauthenticated remote attackers to redirect users to arbitrary external URLs via manipulation of the logoutURL parameter in the /api/join endpoint. The vulnerability requires user interaction (clicking a malicious link) but has low technical complexity and could facilitate phishing attacks by redirecting authenticated users away from the legitimate logout flow to attacker-controlled domains. Version 3.0.24 mitigates this by enforcing checksum validation and defaulting to the legitimate logoutURL when validation fails.
Technical ContextAI
BigBlueButton's /api/join API endpoint accepts a logoutURL parameter (CWE-601: URL Redirection to Untrusted Site) without proper validation or allowlisting. The API previously trusted user-supplied logoutURL values and redirected users to these URLs upon session termination, bypassing origin checks. The vulnerability resides in the URL handling logic of the join flow, where the application fails to validate that the redirect destination is within the trusted domain. Version 3.0.24 implements checksum-based request validation, ensuring that only legitimately-formed requests (with valid checksums) execute the original logoutURL; requests with incorrect checksums fall back to a safe default.
Affected ProductsAI
BigBlueButton versions prior to 3.0.24 are affected. This includes all 3.0.x releases up to and including 3.0.23, and likely earlier major versions (2.x, 1.x) if they share the same join API implementation, though the advisory focuses on the 3.0.x branch. The exact version range of earlier releases is not specified in the provided data. Organizations should consult the vendor advisory at https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8 for complete affected version information.
RemediationAI
Upgrade BigBlueButton to version 3.0.24 or later immediately. This release enforces checksum validation on join API requests; requests with invalid checksums default to the legitimate logoutURL, preventing open redirect exploitation. If immediate upgrade is not feasible, implement network-level controls: restrict outbound redirects from BigBlueButton application servers to a whitelist of known partner domains, or deploy a reverse proxy in front of BigBlueButton that validates logoutURL parameters against a whitelist before passing requests to the application. Additionally, configure web server logging to alert on join requests containing external logoutURL parameters, which may indicate attack attempts. These compensating controls have moderate overhead but require ongoing maintenance to whitelist legitimate partner logout endpoints. No configuration options are available to disable the vulnerable parameter in versions prior to 3.0.24; patching is the primary remediation.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today