Description
BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants, but this may allow for malicious server operators to access audio data. The behavior is only incorrect between joining the meeting and the first time the user unmutes. This issue has been fixed in version 3.0.20.
Published: 2026-02-21
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Update
AI Analysis

Impact

BigBlueButton is an open‑source virtual classroom platform. In versions 3.0.19 and earlier, when a participant joins a meeting with the microphone muted, the client erroneously continues to transmit audio to the server until the participant unmutes. The server discards the received media, so it is not played to other attendees, but a malicious or compromised server may capture and analyze the audio stream. The primary consequence is the potential exposure of private conversation data to anyone controlling or observing the server environment. This vulnerability is classified as CWE‑200, an information exposure weakness.

Affected Systems

The affected product is BigBlueButton, version 3.0.19 or earlier. The issue was identified in the source code at the commit referenced in the advisory and was fixed in BigBlueButton v3.0.20, as noted in the official security advisory.

Risk and Exploitability

The vulnerability carries a low CVSS score of 2 and an EPSS below 1 %, indicating a small probability of exploitation under current conditions. It is not present in the CISA KEV catalog, further suggesting limited exposure. Exploitation requires a malicious or compromised server operator; remote attackers cannot capture audio from a muted participant without controlling the server. Consequently, the risk is confined to compromised server administrators or attackers who have remote control of a BigBlueButton deployment.

Generated by OpenCVE AI on April 18, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the BigBlueButton patch v3.0.20 or later to eliminate the leak of muted participant audio.
  • Implement strict access controls on the BigBlueButton server, ensuring only authorized administrators can manage the deployment and modify configuration, to mitigate potential malicious data capture.
  • Enable logging and monitoring for audio streams and network traffic, and review logs for anomalous activity, to detect unauthorized capture of muted participant audio.

Generated by OpenCVE AI on April 18, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

Wed, 25 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Bigbluebutton
Bigbluebutton bigbluebutton
Vendors & Products Bigbluebutton
Bigbluebutton bigbluebutton

Sat, 21 Feb 2026 07:30:00 +0000

Type Values Removed Values Added
Description BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants, but this may allow for malicious server operators to access audio data. The behavior is only incorrect between joining the meeting and the first time the user unmutes. This issue has been fixed in version 3.0.20.
Title BigBlueButton: Audio from participants to the server initially unmuted
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Bigbluebutton Bigbluebutton
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:49:12.218Z

Reserved: 2026-02-19T17:25:31.101Z

Link: CVE-2026-27467

cve-icon Vulnrichment

Updated: 2026-02-24T18:49:04.296Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T08:16:11.827

Modified: 2026-02-26T18:54:09.117

Link: CVE-2026-27467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses