Audio Data Exposure in BigBlueButton Virtual Classroom by BigBlueButton Inc.
CVE-2026-27467

2LOW

Key Information:

Vendor: Bigbluebutton
Status: Bigbluebutton
Vendor: CVE Published:; 21 February 2026

🔔 Create Bigbluebutton Vulnerability Alert

What is CVE-2026-27467?

BigBlueButton, a popular open-source virtual classroom solution, has a vulnerability in versions 3.0.19 and earlier that allows for potential audio data exposure. When users join a session with their microphone muted, the application transmits audio data to the server, regardless of the mute setting. Although this audio data is discarded server-side and isn't audible to other participants, it poses a risk if the server operators are malicious. This flaw exists only during the initial joining of a meeting until the user unmutes. Users are encouraged to upgrade to version 3.0.20 or later to protect against this issue.

Affected Version(s)

bigbluebutton < 3.0.20

References

https://github.com/bigbluebutton/bigbluebutton/security/a...

x_refsource_CONFIRM

https://github.com/bigbluebutton/bigbluebutton/commit/3aa...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-27467 Data

JSON