What's New in BigBlueButton 3.0.21

Version 3.0.21 is a maintenance release that addresses critical security issues and delivers several client and core improvements. Administrators are encouraged to update at their earliest opportunity.

Security Fixes

Two security vulnerabilities have been resolved:

  • Checksum bypass with PresentationUploadExternalUrl (GHSA-43hc-5g2m-cqff) — the fix prevents unauthorized access via the external upload endpoint.
  • Use of a secure PRNG for ID and token generation (GHSA-7959-pf2v-xc4h) — replaces weak random number generation to strengthen session tokens and IDs.

Note: Both issues will be disclosed publicly no earlier than February 10, 2026, to allow administrators time to upgrade.

HTML5 Client Improvements

Presentation Position Fix

Fixed an issue where the presentation would revert to an old position when the infinite whiteboard feature was enabled. This resolves unexpected jumps during collaborative annotation sessions.

Waiting Room Locale Fix

Corrected a missing space in some locale strings on the waiting room queue, ensuring the interface displays cleanly for all supported languages.

Core Improvements

Breakout Room Participant Updates

Fixed a bug where the breakout room list would not refresh when a user was promoted or demoted. The list now updates correctly in all roles.

Plugin Logger Refactor

The plugin logger code has been refactored for greater robustness, improving error tracking and debugging for plugin developers.

Packaging and Configuration

bbb-conf now uses turnutils_stunclient instead of the deprecated stun client (version 0.97), fixing STUN connectivity checks. Additionally, the bbb-pads package has been updated to version 1.5.8, bringing the latest improvements to Etherpad integration.

For a complete list of changes, including locale updates and documentation enhancements, refer to the GitHub release page.