CVE-2026-41126 MEDIUM

CVE-2026-41126: BigBlueButton has Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL"

Vendor Bigbluebutton

Product bigbluebutton

Weakness CWE-601 · Open redirect

Published April 21, 2026

Last update April 22, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No known workarounds are available.

Key dates

02Disclosure timeline

April 21, 2026 CVE published

April 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41126 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

CVE-2026-41126: BigBlueButton has Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL"

01Description

02Disclosure timeline

03References

04Related CVE