Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026

BigBlueButton has Open Redirect vulnerability in ApiController

CVE-2026-27736

Description

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

Affected products

Bigbluebutton/Bigbluebuttonv5
Range: >= 3.0.0, < 3.0.20

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb968977068663119812mitrex_refsource_MISC
github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9f-qqrxmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000