Skip to main content

BigBlueButton EUVDEUVD-2026-44996

| CVE-2026-46351 HIGH
Use of Insufficiently Random Values (CWE-330)
2026-07-16 GitHub_M
8.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Requires an existing valid session so PR:L; network-reachable token prediction with no user interaction; impersonation breaks confidentiality and integrity (C:H/I:H) but not availability.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 20:48 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 18:46 vuln.today
Analysis Generated
Jul 16, 2026 - 18:46 vuln.today
CVE Published
Jul 16, 2026 - 17:58 cve.org
HIGH 8.1

DescriptionCVE.org

BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web generated conference sessionToken values with insufficiently secure randomness in bbb-common-web/src/main/java/org/bigbluebutton/api/Util.java and bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy, allowing a session user to predict other users' conference session tokens and impersonate them. This issue is fixed in version 3.0.21.

AnalysisAI

Session hijacking in BigBlueButton before 3.0.21 lets an authenticated conference participant predict and reuse other users' session tokens to impersonate them. The bbb-web component generated 16-character sessionToken values (and 12-character auth tokens and internal user IDs) using Apache Commons RandomStringUtils.randomAlphanumeric, a non-cryptographic PRNG, making the token space guessable to anyone who already holds a valid session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join meeting as ordinary participant
Delivery
Observe issued weak-random tokens
Exploit
Predict victim's sessionToken value
Execution
Replay token to hijack session
Impact
Impersonate victim in conference

Vulnerability AssessmentAI

Exploitation The attacker must first hold a valid conference session on the target BigBlueButton server (PR:L) - i.e., be able to join a meeting as a participant - because prediction relies on the same weak java.util.Random-based generator that issues tokens for other users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, score 8.1) indicates network-reachable, low-complexity exploitation by an attacker who already holds low-level privileges - i.e., a legitimate session user, which matches the description of 'a session user' predicting others' tokens. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker joins a meeting as an ordinary participant, obtaining a valid session and observing the format and values of issued tokens. Knowing that tokens come from a non-cryptographic java.util.Random, the attacker predicts another participant's (e.g., a moderator's) 16-character sessionToken and reuses it to impersonate that user within the conference. …
Remediation Vendor-released patch: 3.0.21 - upgrade BigBlueButton to v3.0.21 or later, which replaces the insecure RandomStringUtils token generation with a java.security.SecureRandom-backed Util.randomAlphanumeric helper (fix commit 8457886c248aeba5597ee8749267602d6d117e98). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, conduct a complete audit of BigBlueButton deployments to identify all systems running versions prior to 3.0.21, prioritizing instances that host sensitive or confidential communications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-44996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy