CVE-2026-27467 LOW

CVE-2026-27467: BigBlueButton: Audio from participants to the server initially unmuted

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-200 · Info exposure
Published February 21, 2026
Last update February 24, 2026

CVSS base score

2.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants, but this may allow for malicious server operators to access audio data. The behavior is only incorrect between joining the meeting and the first time the user unmutes. This issue has been fixed in version 3.0.20.

Key dates

02Disclosure timeline

February 21, 2026 CVE published
February 24, 2026 Record updated