Open Redirect Vulnerability in BigBlueButton Virtual Classroom
CVE-2026-27736

6.1MEDIUM

Key Information:

Vendor: Bigbluebutton
Status: Bigbluebutton
Vendor: CVE Published:; 25 February 2026

🔔 Create Bigbluebutton Vulnerability Alert

What is CVE-2026-27736?

BigBlueButton, an open-source virtual classroom solution, is susceptible to an open redirect vulnerability found in versions 3.x prior to 3.0.20. The flaw arises from inadequate validation of the 'errorRedirectUrl' string, enabling attackers to manipulate redirections via the 'respondWithRedirect' function. This could lead users to malicious sites without their consent. BigBlueButton 3.0.20 addresses this vulnerability, and currently, no workarounds are available to mitigate the risk.

Affected Version(s)

bigbluebutton >= 3.0.0, < 3.0.20

References

https://github.com/bigbluebutton/bigbluebutton/security/a...

x_refsource_CONFIRM

https://github.com/bigbluebutton/bigbluebutton/commit/691...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27736 Data

JSON