Skip to content

BigBlueButton: Multiple Security Vulnerabilities Closed

(Image: Shutterstock/chanpipat). Multiple security vulnerabilities in BigBlueButton allow attackers to scan networks or impersonate other users. Three security vulnerabilities in the open-source web conferencing software BigBlueButton enable attackers to impersonate other users or extract sensitive information from the network. Updated software versions that fix the vulnerabilities are now available. The vulnerability disclosures were published at the end of last week. According to them, arbitrary users were able to send valid requests to endpoints that did not require a checksum (CVE-2026-46353 [1], CVSS 8.1, risk “high”). This is due to insufficient access control. Additionally, the use of insufficiently random numbers means that session tokens of users can be guessed. This allows attackers to impersonate these users (CVE-2026-46351 [2], CVSS 8.1, risk “high”). Malicious actors who have obtained access elsewhere can scan network content due to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-46404 [3], CVSS 6.8, risk “medium”). Updated software. BigBlueButton software version 3.0.21 and later fix the first two vulnerabilities. According to the release overview [4], this version has been available since the end of January. Version 3.0.23 from mid-March patches the SSRF security vulnerability. BigBlueButton is often used in university environments or in the iServ school communication system. Administrators should ensure they update to at least the patched versions in a timely manner. However, since information about security vulnerabilities is sometimes reported with very long delays, upgrading to the current version is recommended, which at the time of reporting is 3.0.27. It may already contain fixes for additional security vulnerabilities that the public will only learn about weeks later. In mid-October last year, there were indications of significant security vulnerabilities in BigBlueButton [5]. These were fixed there with version 3.0.13 of the conferencing software. (dmk [7]). URL of this article:. https://www.heise.de/-11298922. Links in this article:. https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-43hc-5g2m-cqff. https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-7959-pf2v-xc4h. https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-xqm3-6q7q-4v5h. https://github.com/bigbluebutton/bigbluebutton/releases. https://www.heise.de/news/BigBlueButton-Update-fuers-Webkonferenz-System-fixt-Denial-of-Service-Luecken-10751398.html. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:dmk@heise.de. Copyright © 2026 Heise Medien

heise security News

Share on:
Tags: