Skip to main content

BigBlueButton CVE-2026-41127

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-22 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 22, 2026 - 00:58 vuln.today
Analysis Generated
Apr 22, 2026 - 00:22 vuln.today
CVE Published
Apr 22, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.

AnalysisAI

BigBlueButton versions prior to 3.0.24 allow authenticated viewers to inject or overwrite captions due to missing authorization controls, enabling unauthorized modification of classroom content. The vulnerability requires an authenticated session but does not need user interaction, affecting the integrity of real-time collaboration in virtual classroom deployments. Version 3.0.24 restricts caption submission permissions to authorized roles only.

Technical ContextAI

BigBlueButton is an open-source web conferencing system designed for virtual classrooms and online collaboration. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the caption submission endpoint fails to properly validate whether a participant has the role or permission required to inject or modify captions. In multi-user video conference systems, caption data is typically stored server-side and broadcast to all participants; insufficient authorization checks allow lower-privilege users (viewers) to overwrite or inject false captions, corrupting the shared classroom record and potentially spreading misinformation in real-time.

Affected ProductsAI

BigBlueButton versions prior to 3.0.24 are affected. All installations running versions 3.0.0 through 3.0.23 are vulnerable. The vendor advisory is available at https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33.

RemediationAI

Upgrade BigBlueButton to version 3.0.24 or later, which implements strict authorization checks on caption submission endpoints. The patch restricts caption injection to authorized roles (typically instructors or moderators) and rejects submissions from viewer-level participants. Administrators should apply this update across all production and test instances. Until patching is possible, the vendor advises no workarounds are available; however, administrators may temporarily mitigate exposure by restricting the participant list to trusted users only or disabling caption features in high-risk sessions, though these are not ideal long-term solutions. Verify the upgrade by checking the version string in the administrative console and testing caption functionality as different user roles.

Share

CVE-2026-41127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy