Open Redirect Vulnerability in BigBlueButton by Blindside Networks
CVE-2026-41126

4.3MEDIUM

Key Information:

Vendor: Bigbluebutton
Status: Bigbluebutton
Vendor: CVE Published:; 21 April 2026

🔔 Create Bigbluebutton Vulnerability Alert

What is CVE-2026-41126?

BigBlueButton, an open-source virtual classroom solution, is affected by an Open Redirect vulnerability in versions prior to 3.0.24. This issue arises via the bigbluebutton/api/join endpoint, where the get-parameter 'logoutURL' can be manipulated. If exploited, it can redirect users to unintended websites, potentially leading to phishing attacks or unauthorized access. Notably, the recent update in version 3.0.24 enhances the request handling to ensure that an incorrect checksum defaults to a secure logoutURL, mitigating this vulnerability. Users are strongly advised to upgrade to the latest version to safeguard against potential threats.

Affected Version(s)

bigbluebutton < 3.0.24

References

https://github.com/bigbluebutton/bigbluebutton/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41126 Data

JSON