Executive Summary

CVE-2026-22800 is a Cross-Site Request Forgery (CSRF) vulnerability in PILOS, a frontend for BigBlueButton. It affects an administrative API endpoint that terminates all active video conferences on a server. This endpoint was accessible via an HTTP GET request, which is unsafe for destructive actions. Although authorization checks prevent cross-site exploitation, the GET method allows the endpoint to be triggered implicitly through same-site content, such as embedded resources. As a result, an authenticated administrator who views crafted content within the application may unintentionally cause all active video conferences to be terminated without explicit intent or confirmation. This vulnerability was fixed in version 4.10.0 by changing the API request method from GET to POST. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause all active video conferences on a PILOS server to be terminated unexpectedly if an authenticated administrator views crafted content within the application. This disruption affects availability of the service, potentially interrupting ongoing meetings or seminars without the administrator's explicit intent or confirmation. The impact is limited to availability and does not affect confidentiality or integrity. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an administrative API endpoint that terminates all active video conferences via an HTTP GET request prior to version 4.10.0. Detection can involve monitoring HTTP GET requests to the endpoint path matching the pattern '/servers/{server}/panic'. You can use network monitoring tools or command-line utilities like curl or wget to test if the endpoint accepts GET requests for the panic action. For example, a command like `curl -I -X GET https://your-pilos-server/servers/1/panic` can be used to check if the GET method is accepted. If the server responds to GET requests on this endpoint, it is vulnerable. Additionally, reviewing server logs for GET requests to this endpoint can help detect exploitation attempts. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade PILOS to version 4.10.0 or later, where the vulnerability is fixed by changing the panic API endpoint from accepting GET requests to POST requests, preventing accidental or malicious triggering via GET. There are no available workarounds. Until the upgrade, restrict access to the administrative API endpoint and avoid viewing or loading untrusted content within the application as an authenticated administrator to reduce risk. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes unintended termination of active video conferences by an authenticated administrator through a CSRF attack, impacting availability. However, there is no loss of confidentiality or integrity. Since the issue affects availability but does not expose or alter personal data, it may have limited direct impact on compliance with standards like GDPR or HIPAA, which primarily focus on data protection and privacy. Nonetheless, disruption of service could indirectly affect compliance if it impairs the ability to maintain continuous secure operations or meet service availability requirements. The vulnerability has been fixed in version 4.10.0. [1]

Useful 0 Not Useful 0