Authorization Flaw in BigBlueButton Allows Caption Injection by Viewers
CVE-2026-41127

6.5MEDIUM

Key Information:

Vendor: Bigbluebutton
Status: Bigbluebutton
Vendor: CVE Published:; 21 April 2026

🔔 Create Bigbluebutton Vulnerability Alert

What is CVE-2026-41127?

BigBlueButton, an open-source virtual classroom application, has a vulnerability that allows unauthorized users to inject or overwrite captions during sessions. This issue arises from insufficient authorization checks in versions prior to 3.0.24. The latest update addresses this flaw by restricting caption submission permissions, enhancing the overall security of the platform. To mitigate risks, users are encouraged to update to version 3.0.24 or later, as no workaround is currently available.

Affected Version(s)

bigbluebutton < 3.0.24

References

https://github.com/bigbluebutton/bigbluebutton/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41127 Data

JSON