[Issue] Critical security issue: Recordings publicly accessible despite visibility settings

[Sergio]

Ours System:

• BigBlueButton Server v3.0.19
• GreenLight v3.7.1

Hello everyone,

I believe I have identified a critical security issue in Greenlight related to the visibility of recordings.

Several clients for whom we have implemented BigBlueButton with Greenlight have reported that their recordings are publicly accessible by anyone who has the recording URL, even when visibility restrictions are configured.

According to Greenlight, the available visibility modes are:

• Public / Protected
• Public
• Protected
• Published
• Unpublished

However, in practice, only the “Unpublished” state fully restricts access.
In all other cases, non-authenticated users can access the recording directly via the URL, without being logged in or authorized.

This behavior represents a major security and privacy concern, especially for:

• Private meetings
• Educational institutions
• Corporate or confidential sessions
• GDPR / data protection compliance

From our testing, this does not appear to be expected behavior and seems more like a bug or misinterpretation of the visibility logic, where “Protected” or similar modes should prevent anonymous access.

I consider this a high-priority issue that should be reviewed and addressed as soon as possible.

Thank you for your time and for the continued work on Greenlight.

Best regards,