Skip to main content

BigBlueButton CVE-2026-46404

| EUVDEUVD-2026-44997 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-16 GitHub_M
6.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.3 MEDIUM

AC:H reflects DNS rebinding setup requirement; PR:L because meeting presenter roles are low-privilege in typical BBB deployments, not admin.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 20:48 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 18:46 vuln.today
Analysis Generated
Jul 16, 2026 - 18:46 vuln.today

DescriptionCVE.org

BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is fixed in version 3.0.23.

AnalysisAI

Server-side request forgery in BigBlueButton's presentation URL handling allows privileged users to probe internal network resources before version 3.0.23. The presentation URL validation failed to block site-local (RFC 1918) and link-local (169.254.x.x) address ranges, and critically, the redirect-following logic did not pin resolved IP addresses, enabling DNS rebinding attacks that bypass initial validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain meeting moderator/presenter role
Delivery
Submit presentation URL pointing to attacker-controlled domain
Exploit
BBB server validates URL against public IP
Install
DNS rebinds domain to internal/link-local address
C2
BBB follows redirect with no IP pinning
Execute
Internal service responds to BBB
Impact
Response content exposed to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires an account with presentation-URL submission capability within a BigBlueButton meeting - typically the moderator or presenter role, which is granted by meeting organizers or BBB administrators. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) yields a 6.8 Medium, but the scope-change (S:C) and high confidentiality impact (C:H) deserve attention. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious meeting moderator registers an attacker-controlled domain (e.g., attacker.example) that initially resolves to a legitimate public IP during BBB's URL validation phase, then rebinds via short TTL DNS to an internal address such as 169.254.169.254 (cloud metadata) or 192.168.1.1 (internal router). The moderator submits a presentation URL pointing to this domain; BBB's un-pinned redirect follower fetches the URL post-validation, now resolving to the internal target, and may expose response data from that internal service. …
Remediation Upgrade to BigBlueButton 3.0.23 or later, which introduces IP-pinned redirect following and explicit blocklisting of site-local and link-local address ranges. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-27605 CRITICAL POC
9.8 Oct 21

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject

CVE-2020-12443 CRITICAL POC
9.8 Apr 29

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value ca

CVE-2020-27613 HIGH POC
8.4 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which al

CVE-2020-29043 HIGH POC
7.5 Nov 26

An issue was discovered in BigBlueButton through 2.2.29. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2020-27610 HIGH POC
7.5 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external inte

CVE-2020-27603 HIGH POC
7.5 Oct 21

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access exte

CVE-2020-12112 HIGH POC
7.5 Apr 23

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severi

CVE-2026-27466 HIGH POC
7.2 Feb 21

BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official docu

CVE-2020-27607 MEDIUM POC
6.5 Oct 21

In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop acce

CVE-2020-27604 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2020-25820 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploade

CVE-2020-27608 MEDIUM POC
6.1 Oct 21

In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, w

Share

CVE-2026-46404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy