Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.4
BigBlueButton: Muted Audio Sent to Server When Joining
CVE-2026-27467
Summary
BigBlueButton versions 3.0.19 and below send audio to the server when joining a muted session. This could potentially allow malicious server operators to access audio data. Update to version 3.0.20 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| bigbluebutton | bigbluebutton | <= 3.0.20 | – |
Original title
BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute stat...
Original description
BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants, but this may allow for malicious server operators to access audio data. The behavior is only incorrect between joining the meeting and the first time the user unmutes. This issue has been fixed in version 3.0.20.
nvd CVSS3.1
2.4
Vulnerability type
CWE-200
Information Exposure
Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026