Platform
php
Component
bigbluebutton
Fixed in
3.0.25
CVE-2026-41126 describes an Open Redirect vulnerability discovered in BigBlueButton, an open-source virtual classroom platform. This flaw allows attackers to redirect users to arbitrary URLs, potentially leading to phishing or malware distribution. The vulnerability affects versions 3.0.0 through 3.0.24, and a fix is available in version 3.0.24.
An attacker can exploit this Open Redirect vulnerability by crafting a malicious URL containing a manipulated logoutURL parameter within the bigbluebutton/api/join endpoint. When a user clicks this crafted link, they are redirected to the attacker's chosen destination, bypassing intended security measures. This could lead to credential theft through phishing, redirection to malware-laden websites, or other malicious activities. The impact is amplified if BigBlueButton is integrated with other systems, as the redirection could potentially compromise those systems as well.
CVE-2026-41126 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively simple nature of Open Redirect vulnerabilities, it is possible that this vulnerability could be targeted by automated scanners and exploited in the future.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-41126 is to immediately upgrade BigBlueButton to version 3.0.24 or later. Since no workarounds are available, patching is the only viable solution. Before upgrading, it's recommended to back up your BigBlueButton configuration and database. After the upgrade, verify the fix by attempting to access the bigbluebutton/api/join endpoint with a crafted logoutURL parameter; the system should now redirect to the default logout URL instead of the attacker-controlled URL.
Update BigBlueButton to version 3.0.24 or higher to mitigate the risk of open redirection. This version corrects the handling of requests with incorrect checksums, ensuring that the default logoutURL is used.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41126 is an Open Redirect vulnerability affecting BigBlueButton versions 3.0.0 through 3.0.24, allowing attackers to redirect users to malicious sites.
You are affected if you are using BigBlueButton versions 3.0.0 through 3.0.24. Upgrade to 3.0.24 to mitigate the risk.
Upgrade BigBlueButton to version 3.0.24 or later. There are no known workarounds.
There is no confirmed active exploitation at this time, but the vulnerability's simplicity suggests potential future targeting.
Refer to the official BigBlueButton security advisories on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.