CVE-2026-27736
Received Received - Intake
Open Redirect Vulnerability in BigBlueButton 3.x Prior to

Publication date: 2026-02-25

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27736
EUVD
EUVD-2026-8686
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bigbluebutton bigbluebutton to 3.0.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27736 is an Open Redirect vulnerability in the ApiController component of BigBlueButton versions 3.0.x prior to 3.0.20.

The vulnerability occurs because the string received via the parameter errorRedirectUrl lacks proper validation and is used directly in the respondWithRedirect function.

This allows attackers to craft URLs that redirect users to untrusted external sites.

Impact Analysis

This vulnerability can be exploited remotely without any privileges required, but it requires user interaction.

An attacker can use this flaw to redirect users to malicious or phishing websites by manipulating the errorRedirectUrl parameter.

The impact includes low confidentiality and integrity impacts, with no availability impact.

This can lead to phishing attacks or other malicious redirection attacks that may compromise user trust or security.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the improper validation of the errorRedirectUrl parameter in BigBlueButton versions prior to 3.0.20, leading to an Open Redirect issue.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring HTTP requests to the ApiController component for usage of the errorRedirectUrl parameter with untrusted or external URLs.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify suspicious redirect URLs.'}, {'type': 'list_item', 'content': "Use grep or similar commands on server logs to find requests containing errorRedirectUrl, for example: grep -i 'errorRedirectUrl=' /path/to/access.log"}, {'type': 'list_item', 'content': 'Use curl or wget to test if the application redirects to external URLs when passing crafted errorRedirectUrl parameters.'}, {'type': 'list_item', 'content': 'Monitor HTTP responses for 3xx redirect status codes that point to external domains.'}] [2, 1]

Mitigation Strategies

The primary and recommended mitigation is to upgrade BigBlueButton to version 3.0.20 or later, where the vulnerability has been patched.

No known workarounds are available for this vulnerability.

After upgrading, verify that the errorRedirectUrl parameter is properly validated and that redirects do not lead to untrusted external sites.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27736. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart