CVE-2026-41126
Open Redirect in BigBlueButton API Join Endpoint Prior to
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bigbluebutton | bigbluebutton | to 3.0.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Open Redirect issue in BigBlueButton versions prior to 3.0.24. It occurs through the API endpoint bigbluebutton/api/join via the get-parameter "logoutURL." An attacker could exploit this by manipulating the logoutURL parameter to redirect users to a malicious site.
In version 3.0.24, the handling of requests with incorrect checksums was adjusted so that the default logoutURL is used instead of the user-supplied one, mitigating the vulnerability.
How can this vulnerability impact me? :
The vulnerability can impact users by allowing attackers to redirect them to potentially malicious websites when they attempt to log out. This could lead to phishing attacks or other social engineering exploits.
The CVSS score of 4.3 indicates a low to medium severity, meaning the impact is limited to confidentiality with no impact on integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade BigBlueButton to version 3.0.24 or later, as this version has adjusted the handling of requests with incorrect checksum to use the default logoutURL, preventing the open redirect issue.
No known workarounds are available, so applying the update is the recommended immediate step.