CVE-2026-46353
Received Received - Intake

BigBlueButton Checksum Bypass in API Requests

Vulnerability report for CVE-2026-46353, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web checksum validation could be bypassed when a presentationUploadExternalUrl parameter was supplied to API request handling in CreateMeeting.java and ValidationService.java, allowing a user to send valid requests to some endpoints without a checksum. This issue is fixed in version 3.0.21.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
bigbluebutton bbb-web to 3.0.21 (exc)
bigbluebutton bigbluebutton to 3.0.21 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46353 is a vulnerability in BigBlueButton versions before 3.0.21 where the API checksum validation could be bypassed by supplying a presentationUploadExternalUrl parameter. This allowed users to send valid requests to certain endpoints without proper checksum verification, potentially enabling unauthorized actions.

Detection Guidance

Check BigBlueButton version with: bbb-conf --version. If version is below 3.0.21, the system is vulnerable. Monitor API logs for requests to presentationUploadExternalUrl without checksum parameters.

Impact Analysis

This vulnerability could allow attackers with low privileges to bypass security checks and send unauthorized requests to BigBlueButton endpoints. This may lead to unauthorized access, data manipulation, or other malicious activities affecting confidentiality and integrity of meetings or presentations.

Compliance Impact

The vulnerability allows unauthorized actions due to improper access control, which could lead to unauthorized data access or modification. This may violate GDPR's integrity and confidentiality requirements or HIPAA's safeguards for protected health information if exploited.

Mitigation Strategies

Upgrade BigBlueButton to version 3.0.21 or later immediately. If immediate upgrade is not possible, restrict network access to BigBlueButton API endpoints until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46353. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart