{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41127", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.737Z", "datePublished": "2026-04-21T23:24:46.671Z", "dateUpdated": "2026-04-22T13:12:52.166Z"}, "containers": {"cna": {"title": "BigBlueButton's missing authorization allows viewer to inject/overwrite captions", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33"}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"version": "< 3.0.24", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:24:46.671Z"}, "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available."}], "source": {"advisory": "GHSA-q387-2q28-mg33", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:12:43.869394Z", "id": "CVE-2026-41127", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:12:52.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41127", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:12:43.869394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:12:48.269Z"}}], "cna": {"title": "BigBlueButton's missing authorization allows viewer to inject/overwrite captions", "source": {"advisory": "GHSA-q387-2q28-mg33", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bigbluebutton", "product": "bigbluebutton", "versions": [{"status": "affected", "version": "< 3.0.24"}]}], "references": [{"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33", "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:24:46.671Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41127", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:12:52.166Z", "dateReserved": "2026-04-17T12:59:15.737Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T23:24:46.671Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available."}], "id": "CVE-2026-41127", "lastModified": "2026-04-22T20:26:20.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:28.463", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q387-2q28-mg33"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.24)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "bigbluebutton", "source": "cna", "vendor": "bigbluebutton"}, "product": "bigbluebutton", "vendor": "bigbluebutton"}], "analysis": {"en": {"generated_at": "2026-04-22T06:10:41.298884+00:00", "value": {"mitigation_remediation": ["Upgrade BigBlueButton to version 3.0.24 or later to restore proper caption submission permissions.", "Review and tighten role permissions to ensure that only moderators or authorized staff can submit captions.", "Implement monitoring or logging to detect any unauthorized caption submissions in the interim period before the upgrade can be completed."], "summary": {"action": "Apply patch", "impact": "Unauthorized caption injection via missing viewer authorization"}, "threat_synthesis": {"affected_systems": "All BigBlueButton deployments running a version earlier than 3.0.24 are affected, including 3.0.23 and any prior releases. Users who have not applied the 3.0.24 update or later remain vulnerable until the authorization controls are restored.", "description_and_impact": "This vulnerability arises from a missing authorization check that allows users with the viewer role to submit or replace captions in BigBlueButton. As a result, a malicious viewer can insert misleading or disruptive captions, potentially spreading misinformation or disrupting the learning experience. The weakness corresponds to CWE-639, an authorization bypass that undermines data integrity.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate to high risk. Since the EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, the likelihood of widespread exploitation is uncertain but could emerge through targeted attacks. The flaw can be leveraged by any participant with viewer access, making it a low barrier to exploit. Administrators should treat this as a medium risk that requires timely patching."}}}}, "created": "2026-04-22T01:30:05.070559+00:00", "updated": "2026-04-22T06:15:10.416948+00:00", "vendors": ["bigbluebutton", "bigbluebutton$PRODUCT$bigbluebutton"]}