SSRF in Bigbluebutton
CVE-2026-46404
BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is…
Vulnerability class: SSRF (Server-Side Request Forgery)
CVSS v3 metric
CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N.
Affected products
- Bigbluebutton — versions < 3.0.23
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-46404?
- CVE-2026-46404 is a medium-severity vulnerability in Bigbluebutton, classified under Server-Side Request Forgery (SSRF). CVSS score: 6.8/10. Published 2026-07-16.
- How severe is CVE-2026-46404?
- Medium severity. CVSS v3 base score is 6.8 out of 10.