bigbluebutton

v3.0.29 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 15h Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 4 known CVEs

Topics

bigbluebutton collaboration conferencing video video-conferencing webrtc

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 13h

Release v3.0.29 of BigBlueButton introduces critical security fixes across Core, bbb‑web, playback UI, and akka‑apps.

Why it matters: All four components receive high‑severity (90) mitigations for XSS, request validation, shape injection, and meeting ID verification; operators must upgrade immediately to protect user data.

Summary

AI summary

Security fixes in Core, bbb-web, playback, and akka-apps address XSS, request validation, and meeting ID verification.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Block embeddable shape types in whiteboard annotations Block embeddable shape types in whiteboard annotations Source: llm_adapter@2026-06-12 Confidence: high	—
Security	Critical	Reject GET-Only Endpoint Requests With Request Bodies Reject GET-Only Endpoint Requests With Request Bodies Source: llm_adapter@2026-06-12 Confidence: high	—
Security	Critical	Prevent stored XSS in recording playback Prevent stored XSS in recording playback Source: llm_adapter@2026-06-12 Confidence: high	—
Security	Critical	Verify Meeting ID on Presentation Delete Message in akka-apps Verify Meeting ID on Presentation Delete Message in akka-apps Source: llm_adapter@2026-06-12 Confidence: high	—

Full changelog

This iteration of BigBlueButton 3.0 contains security fixes only.
We strongly encourage administrators to update!

(note: if some of the advisories below are not yet loading, they are yet to be published)

Core

fix: Block embeddable shape types in whiteboard annotations by @Tainan404 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h2rp-mcch-vgh9
fix(bbb-web): Reject GET-Only Endpoint Requests With Request Bodies by @paultrudel https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-q8vx-4cgc-7w4w
fix(playback): prevent stored XSS in recording playback by @germanocaumo https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-57p5-c888-74f9
fix(akka-apps): Verify Meeting ID on Presentation Delete Message by @paultrudel
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-jxpq-r3h3-p75g

Full Changelog: https://github.com/bigbluebutton/bigbluebutton/compare/v3.0.28...v3.0.29

Release name

Passing -v jammy-300 to https://github.com/bigbluebutton/bbb-install/blob/v3.0.x-release/bbb-install.sh will always install the latest released BigBlueButton 3.0 version.

If for some reason you would like to install this specific release, pass -v jammy-300-3.0.29.

We still recommend using -v jammy-300 as this repository is continually updated with each BigBlueButton 3.0 release.

Client build: 1672

Security Fixes

GHSA-h2rp-mcch-vgh9 — Block embeddable shape types in whiteboard annotations (Core)
GHSA-q8vx-4cgc-7w4w — Reject GET‑Only Endpoint Requests With Request Bodies (bbb-web)
GHSA-57p5-c888-74f9 — Prevent stored XSS in recording playback (playback)
GHSA-jxpq-r3h3-p75g — Verify Meeting ID on Presentation Delete Message (akka-apps)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track bigbluebutton

Get notified when new releases ship.

About bigbluebutton

A complete web conferencing system for virtual classes and more!

All releases →

Related context

Related tools

Earlier breaking changes

v3.0.27 Local address as meta_endCallbackUrl requires explicit hostname allowance via fetchUrlAllowedLocalHosts configuration.