CVE Tools
Sign in

CVE-2026-27466

BigBlueButton: Exposed ClamAV port enables Denial of Service

Published: Feb 21, 2026Updated: Feb 26, 2026 Sources: CVE List NVDCWE-668
NVD MITRE
7.2CVSSHIGH
EPSS Score
0.4%
Top 68.7%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:CC:LI:NA:L
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:LAvailability
Low
Open in CVSS calculator →

Weaknesses

CWE-668

Affected Products

bigbluebuttonbigbluebutton
On-premWeb App
Communications / video-conferencing
bigbluebuttonoss-projectCommunicationsaka bbb

Exploitability

Official Patch Available

References

https://github.com/bigbluebutton/bigbluebutton/commit/f3d33d94a9682e87c7d41f55700b19d61e1ab8b4
github.com
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wmhx-qw2p-w6gc
github.com

Timeline

Published
Feb 21, 2026
Last Updated
Feb 26, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-27466 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows