Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
AC:H reflects DNS rebinding setup requirement; PR:L because meeting presenter roles are low-privilege in typical BBB deployments, not admin.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is fixed in version 3.0.23.
AnalysisAI
Server-side request forgery in BigBlueButton's presentation URL handling allows privileged users to probe internal network resources before version 3.0.23. The presentation URL validation failed to block site-local (RFC 1918) and link-local (169.254.x.x) address ranges, and critically, the redirect-following logic did not pin resolved IP addresses, enabling DNS rebinding attacks that bypass initial validation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an account with presentation-URL submission capability within a BigBlueButton meeting - typically the moderator or presenter role, which is granted by meeting organizers or BBB administrators. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) yields a 6.8 Medium, but the scope-change (S:C) and high confidentiality impact (C:H) deserve attention. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious meeting moderator registers an attacker-controlled domain (e.g., attacker.example) that initially resolves to a legitimate public IP during BBB's URL validation phase, then rebinds via short TTL DNS to an internal address such as 169.254.169.254 (cloud metadata) or 192.168.1.1 (internal router). The moderator submits a presentation URL pointing to this domain; BBB's un-pinned redirect follower fetches the URL post-validation, now resolving to the internal target, and may expose response data from that internal service. … |
| Remediation | Upgrade to BigBlueButton 3.0.23 or later, which introduces IP-pinned redirect following and explicit blocklisting of site-local and link-local address ranges. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Bigbluebutton
View allBigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value ca
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which al
An issue was discovered in BigBlueButton through 2.2.29. Rated high severity (CVSS 7.5), this vulnerability is remotely
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external inte
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access exte
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severi
BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official docu
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop acce
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. Rated medium severity (CVSS 6.5), this vulnerability
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploade
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, w
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44997