Plataforma
php
Componente
bigbluebutton
Corrigido em
3.0.25
CVE-2026-41126 describes an Open Redirect vulnerability discovered in BigBlueButton, an open-source virtual classroom platform. This flaw allows attackers to redirect users to arbitrary URLs, potentially leading to phishing or malware distribution. The vulnerability affects versions 3.0.0 through 3.0.24, and a fix is available in version 3.0.24.
An attacker can exploit this Open Redirect vulnerability by crafting a malicious URL containing a manipulated logoutURL parameter within the bigbluebutton/api/join endpoint. When a user clicks this crafted link, they are redirected to the attacker's chosen destination, bypassing intended security measures. This could lead to credential theft through phishing, redirection to malware-laden websites, or other malicious activities. The impact is amplified if BigBlueButton is integrated with other systems, as the redirection could potentially compromise those systems as well.
CVE-2026-41126 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively simple nature of Open Redirect vulnerabilities, it is possible that this vulnerability could be targeted by automated scanners and exploited in the future.
Organizations and educational institutions using BigBlueButton versions 3.0.0 through 3.0.24 are at risk. This includes those hosting their own BigBlueButton instances and those using shared hosting environments where the BigBlueButton installation is managed by the hosting provider. Users who frequently click on links within BigBlueButton are particularly vulnerable.
• javascript / web: Inspect network requests to bigbluebutton/api/join for unexpected redirects.
// Example: Check for suspicious redirect URLs in browser developer tools
// Look for requests to bigbluebutton/api/join with unusual logoutURL parameters• generic web: Monitor access logs for requests to bigbluebutton/api/join with unusual or external logoutURL parameters.
# Example: grep for suspicious URLs in access logs
grep 'bigbluebutton/api/join.*logoutURL=.*' /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-41126 is to immediately upgrade BigBlueButton to version 3.0.24 or later. Since no workarounds are available, patching is the only viable solution. Before upgrading, it's recommended to back up your BigBlueButton configuration and database. After the upgrade, verify the fix by attempting to access the bigbluebutton/api/join endpoint with a crafted logoutURL parameter; the system should now redirect to the default logout URL instead of the attacker-controlled URL.
Actualice BigBlueButton a la versión 3.0.24 o superior para mitigar el riesgo de redirección abierta. Esta versión corrige el manejo de solicitudes con checksums incorrectos, asegurando que se utilice la URL de cierre de sesión predeterminada.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-41126 is an Open Redirect vulnerability affecting BigBlueButton versions 3.0.0 through 3.0.24, allowing attackers to redirect users to malicious sites.
You are affected if you are using BigBlueButton versions 3.0.0 through 3.0.24. Upgrade to 3.0.24 to mitigate the risk.
Upgrade BigBlueButton to version 3.0.24 or later. There are no known workarounds.
There is no confirmed active exploitation at this time, but the vulnerability's simplicity suggests potential future targeting.
Refer to the official BigBlueButton security advisories on their website or GitHub repository for the latest information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.