CVE-2025-66027: Rallly Information Disclosure Vulnerability Exposes User Data

Overview

CVE-2025-66027 describes an information disclosure vulnerability found in Rallly, an open-source scheduling and collaboration tool. Specifically, versions prior to 4.5.6 are affected. This vulnerability allows unauthorized access to participant details, including names and email addresses, even when privacy features intended to protect this information are enabled. This bypasses the intended privacy controls and exposes potentially sensitive user data.

Technical Details

The vulnerability resides in the /api/trpc/polls.get,polls.participants.list endpoint. An attacker, or any logged-in user, could potentially access this endpoint to retrieve a list of participants and their associated information (names and email addresses) for a specific poll. This occurs even if the poll creator has enabled privacy settings intended to hide this information from other participants or the public.

The root cause lies in a flaw in the access control implementation of the aforementioned endpoint. Prior to version 4.5.6, the privacy settings were not being correctly enforced when retrieving participant lists via the API.

CVSS Analysis

The CVSS score is currently N/A. However, given that this is an information disclosure vulnerability exposing potentially sensitive data, a moderate to high severity score would be expected if calculated. A full CVSS analysis will depend on factors such as attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. The actual score might be updated as further analysis is performed.

Possible Impact

The exploitation of CVE-2025-66027 can lead to several negative consequences:

• Privacy Breach: Exposed names and email addresses can compromise the privacy of Rallly users.
• Phishing Attacks: The leaked email addresses can be used in targeted phishing campaigns.
• Spam: Exposed email addresses may be added to spam lists.
• Reputational Damage: The Rallly platform could suffer reputational damage due to the privacy breach.

Mitigation or Patch Steps

The vulnerability is patched in Rallly version 4.5.6. The primary mitigation step is to upgrade to version 4.5.6 or later. If upgrading is not immediately feasible, consider temporarily disabling the polls or restricting access to the Rallly instance until the upgrade can be performed.

1. Upgrade Rallly: The recommended solution is to upgrade your Rallly instance to version 4.5.6 or a newer version. Follow the official Rallly upgrade instructions.
2. Verify Upgrade: After upgrading, verify that the privacy settings are functioning as expected.

References

• Rallly Commit (59738c04f9a8ec25f0af5ce20ad0eab6cf134963)
• Rallly Release v4.5.6
• GitHub Security Advisory: GHSA-65wg-8xgw-f3fg