{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41126", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.737Z", "datePublished": "2026-04-21T23:22:34.575Z", "dateUpdated": "2026-04-22T14:16:24.217Z"}, "containers": {"cna": {"title": "BigBlueButton has Open Redirect through bigbluebutton/api/join via get-parameter \"logoutURL\"", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8"}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"version": "< 3.0.24", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:22:34.575Z"}, "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter \"logoutURL.\" Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available."}], "source": {"advisory": "GHSA-cvwj-4pcp-f3g8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:16:11.226981Z", "id": "CVE-2026-41126", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:16:24.217Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:16:11.226981Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:16:20.055Z"}}], "cna": {"title": "BigBlueButton has Open Redirect through bigbluebutton/api/join via get-parameter \"logoutURL\"", "source": {"advisory": "GHSA-cvwj-4pcp-f3g8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"status": "affected", "version": "< 3.0.24"}]}], "references": [{"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8", "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter \"logoutURL.\" Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:22:34.575Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41126", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:16:24.217Z", "dateReserved": "2026-04-17T12:59:15.737Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T23:22:34.575Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter \"logoutURL.\" Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available."}], "id": "CVE-2026-41126", "lastModified": "2026-04-22T20:26:20.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:28.327", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.24)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "bigbluebutton", "source": "cna", "vendor": "bigbluebutton"}, "product": "bigbluebutton", "vendor": "bigbluebutton"}], "analysis": {"en": {"generated_at": "2026-04-22T06:10:55.532670+00:00", "value": {"mitigation_remediation": ["Upgrade the BigBlueButton installation to version 3.0.24 or newer where the logoutURL validation has been corrected.", "Verify that the logoutURL parameter is either omitted or strictly validated against a whitelist of allowed domains before redirection.", "If an upgrade cannot be performed immediately, configure the web server or application to block or rewrite redirect attempts that originate from the logoutURL parameter."], "summary": {"action": "Upgrade", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the BigBlueButton virtual classroom platform. All deployments running BigBlueButton prior to version 3.0.24 are susceptible. No specific sub\u2011product or component beyond the primary server is mentioned.", "description_and_impact": "BigBlueButton versions before 3.0.24 allow an attacker to supply a malicious logoutURL through the bigbluebutton/api/join endpoint. The application trusts and redirects the user to the supplied URL, creating an Open Redirect (CWE\u2011601). While not a direct code execution flaw, the redirect can be used in phishing or credential\u2011harvest campaigns to lure users to malicious sites after they leave a meeting.", "risk_and_exploitability": "The CVSS score is 4.3, indicating medium severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. It is a client\u2011side vulnerability that requires a user to be tricked into following a redirect, making it less likely to be exploited automatically but still dangerous for phishing campaigns."}}}}, "created": "2026-04-22T01:30:05.070846+00:00", "updated": "2026-04-22T06:15:10.417374+00:00", "vendors": ["bigbluebutton", "bigbluebutton$PRODUCT$bigbluebutton"]}