Unrated severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026

BigBlueButton: Audio from participants to the server initially unmuted

CVE-2026-27467

Description

BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants, but this may allow for malicious server operators to access audio data. The behavior is only incorrect between joining the meeting and the first time the user unmutes. This issue has been fixed in version 3.0.20.

Affected products

Bigbluebutton/Bigbluebuttonv5
Range: < 3.0.20

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bigbluebutton/bigbluebutton/commit/3aa47832bc2b17178799bd932453c226e8f95703mitrex_refsource_MISC
github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-6gj9-5rhm-68j8mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000