CVE-2026-46404
Received Received - Intake

BigBlueButton IP Validation Bypass in 3.0.23

Vulnerability report for CVE-2026-46404, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is fixed in version 3.0.23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
bigbluebutton bigbluebutton to 3.0.23 (inc)
bigbluebutton bigbluebutton to 3.0.23 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46404 is a Server-Side Request Forgery (SSRF) vulnerability in BigBlueButton versions before 3.0.23. It involves improper validation of presentation URLs, allowing attackers with additional access to potentially access private network resources. The issue was fixed in version 3.0.23 by restricting URL validation to block site-local and link-local addresses and implementing DNS pinning to prevent DNS rebinding attacks.

Detection Guidance

To detect this vulnerability, check if your BigBlueButton instance is running a version prior to 3.0.23. Use commands like 'dpkg -l | grep bigbluebutton' on Debian-based systems or 'rpm -qa | grep bigbluebutton' on RPM-based systems to verify the installed version.

Impact Analysis

This vulnerability could allow attackers to access internal network resources or private addresses if they have additional access to the system. It may lead to unauthorized data exposure or network reconnaissance. The impact is limited by requiring high privileges and no user interaction, but successful exploitation could compromise sensitive assets.

Mitigation Strategies

Immediately update BigBlueButton to version 3.0.23 or later. Follow the official upgrade instructions from BigBlueButton's documentation to ensure all components are patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart