CVE-2026-46351
8.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web generated conference sessionToken values with insufficiently secure randomness in bbb-common-web/src/main/java/org/bigbluebutton/api/Util.java and bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy, allowing a session user to predict other users' conference session tokens and impersonate them. This issue is fixed in version 3.0.21.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| bigbluebutton | bigbluebutton | < 3.0.21 | affected |
Weaknesses
- CWE-330: CWE-330: Use of Insufficiently Random Values
References
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-7959-pf2v-xc4h
- https://github.com/bigbluebutton/bigbluebutton/commit/8457886c248aeba5597ee8749267602d6d117e98
- https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.21
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.