ctipilot.ch

BigBlueButton bbb-web

trend · trend:bigbluebutton-bbb-web-three-cves-46351-46353-46404-eu-edu

BigBlueButton bbb-web — three CVEs (sessionToken, checksum bypass, SSRF) on EU edu/gov virtual-classroom platform

Coverage timeline
1
first 2026-05-19 → last 2026-05-19
Entries
1
1 distinct days
Sources cited
4
2 hosts
Sections touched
1
active-threats
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-19BigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum bypass, SSRF
    active-threatsBigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum

Where this entity is cited

  • active-threats1

Source distribution

  • github.com3 (75%)
  • wid.cert-bund.de1 (25%)

Related entities

Entries about BigBlueButton bbb-web (1)

2026-05-19 · view entry permalink →

BigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum bypass, SSRF

high threat discovered 2026-05-19 05:00 UTC

BigBlueButton (BBB) — the de facto open-source virtual classroom platform deployed across German DFN, Swiss SWITCH, and pan-European GÉANT academic networks, including cantonal school deployments — published three GitHub Security Advisories on 2026-05-17 covering distinct flaws in its bbb-web component, all in versions before 3.0.21 (two of three) and 3.0.23 (one). CVE-2026-46351 (CVSS 8.1) is a CWE-330 weakness: the sessionToken is generated with insufficiently random values, letting an authenticated low-privilege attacker who shares or has observed a meeting determine other participants' session tokens and impersonate any conference user (BBB GHSA-7959-pf2v-xc4h, 2026-05-17). CVE-2026-46353 (CVSS 8.1) is a CWE-284 access-control bypass in the presentationUploadExternalUrl endpoint: by supplying specific URL parameters an attacker can bypass checksum validation and send valid API requests to restricted endpoints without proper authentication, with high confidentiality + integrity impact (BBB GHSA-43hc-5g2m-cqff, 2026-05-17). CVE-2026-46404 (CVSS 6.8) is a CWE-918 SSRF in presentation URL validation: insufficient redirect-following checks allow a high-privilege authenticated attacker to reach RFC1918 and link-local (169.254.0.0/16) addresses from the BBB server context (BBB GHSA-xqm3-6q7q-4v5h, 2026-05-17). BSI's WID-SEC-2026-1568 corroborated on 2026-05-18 (BSI WID-SEC-2026-1568, 2026-05-18).

Why it matters to us: BBB is operated at scale by Swiss cantonal Volksschule deployments, German Länder ministries of education and university IT, EU national-research-and-education networks (NRENs). The combination of session-token prediction + checksum bypass would let a low-privilege classroom participant impersonate other students and teachers or send arbitrary authenticated API calls; SSRF on the server gives a presenter-role lateral-movement primitive into RFC1918 networks (KVM hosts, internal LDAP, SIS endpoints). Upgrade bbb-web to ≥ 3.0.21 for the first two CVEs and ≥ 3.0.23 for the SSRF; monitor bbb-web logs for anomalous joins using close-by sessionTokens and for API calls to presentationUploadExternalUrl carrying unexpected URL parameters; alert on egress from the BBB server process to RFC1918 / 169.254/16 ranges. MITRE T1212 (Exploitation for Credential Access) covers the session-token-prediction primitive; the SSRF maps to T1190 (Exploit Public-Facing Application) chained with internal-network reach.

“Insecure SessionToken Generation in BigBlueButton” — BBB GHSA-7959-pf2v-xc4h

“Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in BigBlueButton ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen” — BSI WID-SEC-2026-1568

vulnerabilities auth-bypass info-disclosure patch-available europe dach switzerland CVE-2026-46351 CVE-2026-46353 CVE-2026-46404