How serious is CVE-2026-27466?

This vulnerability has a CVSS score of 8.2 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-27466?

CVE-2026-27466 affects bigbluebutton bigbluebutton. Check the full CVE details for specific version information.

How do I fix CVE-2026-27466?

To remediate CVE-2026-27466, check for security patches from bigbluebutton. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-27466

High

|8.2

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

An attacker can exploit a vulnerability in BigBlueButton to overload the server or crash a critical process by sending large files, which can lead to a Denial of Service. This issue only affects users who followed specific instructions in the documentation and is fixed in the latest version.

Technical Description

BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactLow

Integrity ImpactNone

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$3,526($1K-$5K)

Vendor Response

Grade APatched in 5 days

Quick Information

Published

Feb 21, 2026

about 2 months ago

Last Modified

Feb 26, 2026

about 1 month ago

Vendor

bigbluebutton

Product

bigbluebutton

Related Vulnerabilities

CVE-2026-27467Low

This vulnerability allows a malicious server operator to potentially access audio data from users who join a BigBlueButton session with their microphone muted, even though the audio isn't heard by other participants. This issue occurs only between the time a user joins the meeting and when they first unmute their microphone, and it has been fixed in the latest version.