Description
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized caption injection via missing viewer authorization
Action: Apply patch
AI Analysis

Impact

This vulnerability arises from a missing authorization check that allows users with the viewer role to submit or replace captions in BigBlueButton. As a result, a malicious viewer can insert misleading or disruptive captions, potentially spreading misinformation or disrupting the learning experience. The weakness corresponds to CWE-639, an authorization bypass that undermines data integrity.

Affected Systems

All BigBlueButton deployments running a version earlier than 3.0.24 are affected, including 3.0.23 and any prior releases. Users who have not applied the 3.0.24 update or later remain vulnerable until the authorization controls are restored.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate to high risk. Since the EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, the likelihood of widespread exploitation is uncertain but could emerge through targeted attacks. The flaw can be leveraged by any participant with viewer access, making it a low barrier to exploit. Administrators should treat this as a medium risk that requires timely patching.

Generated by OpenCVE AI on April 22, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BigBlueButton to version 3.0.24 or later to restore proper caption submission permissions.
  • Review and tighten role permissions to ensure that only moderators or authorized staff can submit captions.
  • Implement monitoring or logging to detect any unauthorized caption submissions in the interim period before the upgrade can be completed.

Generated by OpenCVE AI on April 22, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Bigbluebutton
Bigbluebutton bigbluebutton
Vendors & Products Bigbluebutton
Bigbluebutton bigbluebutton

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.
Title BigBlueButton's missing authorization allows viewer to inject/overwrite captions
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Bigbluebutton Bigbluebutton
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:12:52.166Z

Reserved: 2026-04-17T12:59:15.737Z

Link: CVE-2026-41127

cve-icon Vulnrichment

Updated: 2026-04-22T13:12:48.269Z

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:28.463

Modified: 2026-04-22T00:16:28.463

Link: CVE-2026-41127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses