BigBlueButton: Multiple security vulnerabilities closed

Three security vulnerabilities in the open-source web conferencing software BigBlueButton allow attackers to, for example, impersonate other users or exfiltrate sensitive information from the network. Updated software versions that fix the vulnerabilities are available.

The vulnerability entries appeared at the end of last week. According to them, arbitrary users could send valid requests to endpoints that did not require a checksum (CVE-2026-46353, CVSS 8.1, Risk “high”). This is due to insufficient access control. Furthermore, the use of insufficiently random numbers means that user session tokens can be guessed. This allows attackers to impersonate these users (CVE-2026-46351, CVSS 8.1, Risk “high”). Malicious actors who have gained other access can probe network content due to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-46404, CVSS 6.8, Risk “medium”).

Updated Software

BigBlueButton software version 3.0.21 corrects the first two vulnerabilities. According to the release overview, it has been available since the end of January. Version 3.0.23 from mid-March patches the SSRF security hole.

BigBlueButton is often used in university environments or with the school communication system iServ. Admins should ensure they update to at least the error-corrected versions in a timely manner. However, since information about security vulnerabilities is sometimes reported with a very long delay, upgrading to the current version, 3.0.27 at the time of reporting, is recommended. It may already contain further security vulnerabilities that the public will only learn about in weeks.

Mid-October last year, there were last indications of significant security vulnerabilities in BigBlueButton. These were fixed there with version 3.0.13 of the conferencing software.

(dmk)