CVE-2026-27736 - Vulnerability Details

- BigBlueButton has Open Redirect vulnerability in ApiController

Description

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

Published: 2026-02-25

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises in BigBlueButton 3.x before 3.0.20 where the errorRedirectUrl string supplied to the ApiController is used without validation in respondWithRedirect, enabling an attacker to specify an arbitrary URL. This leads to an open‑redirect flaw that can be abused to steer users to malicious sites, support phishing, or cloak malicious links, compromising the integrity of user interactions. The weakness corresponds to CWE‑601 – Open Redirect.

Affected Systems

The flaw affects the open‑source virtual classroom software BigBlueButton. Versions on the 3.x branch older than 3.0.20 are vulnerable; the issue is fixed in BigBlueButton 3.0.20 and later. The vulnerability originates in the ApiController component that handles errorRedirectUrl parameters in HTTP requests.

Risk and Exploitability

The CVSS score is 6.1, indicating medium severity. The EPSS score is below 1 %, suggesting a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, open redirects facilitate phishing and other malicious campaigns, so an attacker may still target exposed BigBlueButton instances if the errorRedirectUrl input is not properly validated. The flaw can be exploited remotely via crafted HTTP requests against the API endpoint, with no privilege escalation required on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bigbluebutton

affected

Version	Status	Constraints
`>= 3.0.0, < 3.0.20`	affected	—

Configuration 1 [-]

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Bigbluebutton

100%

Version	Status	Scheme	Platform
`[3.0.0,3.0.20)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to BigBlueButton version 3.0.20 or newer to apply the vendor‑supplied fix.
If an immediate upgrade is not possible, configure the web gateway or reverse proxy to reject or block requests that contain an errorRedirectUrl parameter, or redirect all redirects to a whitelist of trusted domains.
Continuously monitor application logs for unexpected redirect attempts and traffic patterns indicative of phishing or malicious redirects.

Generated by OpenCVE AI on April 17, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb968977068663119812
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9f-qqrx

History

Thu, 05 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:bigbluebutton:bigbluebutton::::::::

Thu, 26 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bigbluebutton Bigbluebutton bigbluebutton
Vendors & Products		Bigbluebutton Bigbluebutton bigbluebutton

Wed, 25 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.
Title		BigBlueButton has Open Redirect vulnerability in ApiController
Weaknesses		CWE-601
References		https://github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb968977068663119812 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9f-qqrx
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Bigbluebutton Bigbluebutton

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-25T16:27:01.507Z

Updated: 2026-02-26T21:33:41.504Z

Reserved: 2026-02-23T18:37:14.790Z

Link: CVE-2026-27736

Vulnrichment

Updated: 2026-02-26T21:07:14.460Z

NVD

Status : Analyzed

Published: 2026-02-25T17:25:40.283

Modified: 2026-03-05T18:26:56.690

Link: CVE-2026-27736

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object