CVE-2026-27736
Open Redirect Vulnerability in BigBlueButton 3.x Prior to
Publication date: 2026-02-25
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bigbluebutton | bigbluebutton | to 3.0.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can be exploited remotely without any privileges required, but it requires user interaction.
An attacker can use this flaw to redirect users to malicious or phishing websites by manipulating the errorRedirectUrl parameter.
The impact includes low confidentiality and integrity impacts, with no availability impact.
This can lead to phishing attacks or other malicious redirection attacks that may compromise user trust or security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-27736 is an Open Redirect vulnerability in the ApiController component of BigBlueButton versions 3.0.x prior to 3.0.20.
The vulnerability occurs because the string received via the parameter errorRedirectUrl lacks proper validation and is used directly in the respondWithRedirect function.
This allows attackers to craft URLs that redirect users to untrusted external sites.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the improper validation of the errorRedirectUrl parameter in BigBlueButton versions prior to 3.0.20, leading to an Open Redirect issue.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring HTTP requests to the ApiController component for usage of the errorRedirectUrl parameter with untrusted or external URLs.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify suspicious redirect URLs.'}, {'type': 'list_item', 'content': "Use grep or similar commands on server logs to find requests containing errorRedirectUrl, for example: grep -i 'errorRedirectUrl=' /path/to/access.log"}, {'type': 'list_item', 'content': 'Use curl or wget to test if the application redirects to external URLs when passing crafted errorRedirectUrl parameters.'}, {'type': 'list_item', 'content': 'Monitor HTTP responses for 3xx redirect status codes that point to external domains.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade BigBlueButton to version 3.0.20 or later, where the vulnerability has been patched.
No known workarounds are available for this vulnerability.
After upgrading, verify that the errorRedirectUrl parameter is properly validated and that redirects do not lead to untrusted external sites.