CVE-2026-46351

Summary

BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web generated conference sessionToken values with insufficiently secure randomness in bbb-common-web/src/main/java/org/bigbluebutton/api/Util.java and bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy, allowing a session user to predict other users' conference session tokens and impersonate them. This issue is fixed in version 3.0.21.

Affected Software

VendorProductVersion RangeStatus
bigbluebuttonbigbluebutton< 3.0.21affected

Weaknesses

  • CWE-330: CWE-330: Use of Insufficiently Random Values

References