Description
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available.
Published: 2026-04-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Upgrade
AI Analysis

Impact

BigBlueButton versions before 3.0.24 allow an attacker to supply a malicious logoutURL through the bigbluebutton/api/join endpoint. The application trusts and redirects the user to the supplied URL, creating an Open Redirect (CWE‑601). While not a direct code execution flaw, the redirect can be used in phishing or credential‑harvest campaigns to lure users to malicious sites after they leave a meeting.

Affected Systems

The vulnerability affects the BigBlueButton virtual classroom platform. All deployments running BigBlueButton prior to version 3.0.24 are susceptible. No specific sub‑product or component beyond the primary server is mentioned.

Risk and Exploitability

The CVSS score is 4.3, indicating medium severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. It is a client‑side vulnerability that requires a user to be tricked into following a redirect, making it less likely to be exploited automatically but still dangerous for phishing campaigns.

Generated by OpenCVE AI on April 22, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BigBlueButton installation to version 3.0.24 or newer where the logoutURL validation has been corrected.
  • Verify that the logoutURL parameter is either omitted or strictly validated against a whitelist of allowed domains before redirection.
  • If an upgrade cannot be performed immediately, configure the web server or application to block or rewrite redirect attempts that originate from the logoutURL parameter.

Generated by OpenCVE AI on April 22, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Bigbluebutton
Bigbluebutton bigbluebutton
Vendors & Products Bigbluebutton
Bigbluebutton bigbluebutton

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available.
Title BigBlueButton has Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL"
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Bigbluebutton Bigbluebutton
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T14:16:24.217Z

Reserved: 2026-04-17T12:59:15.737Z

Link: CVE-2026-41126

cve-icon Vulnrichment

Updated: 2026-04-22T14:16:20.055Z

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:28.327

Modified: 2026-04-22T00:16:28.327

Link: CVE-2026-41126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses