BigBlueButton CVE-2026-41127
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.
AnalysisAI
BigBlueButton versions prior to 3.0.24 allow authenticated viewers to inject or overwrite captions due to missing authorization controls, enabling unauthorized modification of classroom content. The vulnerability requires an authenticated session but does not need user interaction, affecting the integrity of real-time collaboration in virtual classroom deployments. Version 3.0.24 restricts caption submission permissions to authorized roles only.
Technical ContextAI
BigBlueButton is an open-source web conferencing system designed for virtual classrooms and online collaboration. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the caption submission endpoint fails to properly validate whether a participant has the role or permission required to inject or modify captions. In multi-user video conference systems, caption data is typically stored server-side and broadcast to all participants; insufficient authorization checks allow lower-privilege users (viewers) to overwrite or inject false captions, corrupting the shared classroom record and potentially spreading misinformation in real-time.
Affected ProductsAI
BigBlueButton versions prior to 3.0.24 are affected. All installations running versions 3.0.0 through 3.0.23 are vulnerable. The vendor advisory is available at https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33.
RemediationAI
Upgrade BigBlueButton to version 3.0.24 or later, which implements strict authorization checks on caption submission endpoints. The patch restricts caption injection to authorized roles (typically instructors or moderators) and rejects submissions from viewer-level participants. Administrators should apply this update across all production and test instances. Until patching is possible, the vendor advises no workarounds are available; however, administrators may temporarily mitigate exposure by restricting the participant list to trusted users only or disabling caption features in high-risk sessions, though these are not ideal long-term solutions. Verify the upgrade by checking the version string in the administrative console and testing caption functionality as different user roles.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today