BigBlueButton 3.x versions prior to 3.0.20 can redirect users to malicious sites

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.1

BigBlueButton 3.x versions prior to 3.0.20 can redirect users to malicious sites

CVE-2026-27736

Summary

If you're using an outdated version of BigBlueButton's virtual classroom software, a hacker could trick users into visiting a fake website. This is a security risk because it could lead to phishing or other types of attacks. Update to version 3.0.20 to fix the issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
bigbluebutton	bigbluebutton	<= 3.0.20	–

Original title

Original description

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

nvd CVSS3.1 6.1

Vulnerability type

CWE-601 Open Redirect

https://github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb9689... Patch
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9... Patch Vendor Advisory

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026