CVE-2026-27467

Name: CVE-2026-27467
Creator: NVD / NIST
Published: 2026-02-21T08:16:11.827+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

LOWCVSS 2.4/10EPSS 0.17%

Last modified Jun 17, 2026

CVE-2026-27467 is a low-severity vulnerability rated 2.4/10 on the CVSS scale. BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. EPSS estimates a 0.17% chance of exploitation in the next 30 days.

Description

BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants, but this may allow for malicious server operators to access audio data. The behavior is only incorrect between joining the meeting and the first time the user unmutes. This issue has been fixed in version 3.0.20.

Metrics

CVSS 3.1

2.4/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

EPSS Probability

0.17%

7.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions
Bigbluebutton	Bigbluebutton	< 3.0.20

References

Timeline

Published: Feb 21, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-27467?

How severe is CVE-2026-27467?

CVE-2026-27467 has a CVSS score of 2.4/10 (LOW severity). The EPSS model estimates a 0.17% probability of exploitation in the next 30 days.

How do I fix CVE-2026-27467?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-27467?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST