Unrated severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026
BigBlueButton: Audio from participants to the server initially unmuted
CVE-2026-27467
Description
BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants, but this may allow for malicious server operators to access audio data. The behavior is only incorrect between joining the meeting and the first time the user unmutes. This issue has been fixed in version 3.0.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=3.0.19+ 1 more
- (no CPE)range: <=3.0.19
- (no CPE)range: < 3.0.20
Patches
Vulnerability mechanics
References
2- github.com/bigbluebutton/bigbluebutton/commit/3aa47832bc2b17178799bd932453c226e8f95703mitrex_refsource_MISC
- github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-6gj9-5rhm-68j8mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.