Rallly Information Disclosure Vulnerability in Participant API Leaks Names and...

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.

Basic Information

ID CVE-2025-66027

Source GitHub_M

Published Nov 29, 2025 at 00:43

Affected Product

Vendor lukevella

Product rallly

Version < 4.5.6

Affected Versions lukevella rallly < 4.5.6

CWE Classification

CWE-200 CWE-284 CWE-359

References

{
    "lastseen": "",
    "description": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users\u2019 personal information. This issue has been patched in version 4.5.6.",
    "published": "2025-11-29T00:43:02.452Z",
    "modified": "2025-11-29T00:43:02.452Z",
    "type": "cve",
    "title": "Rallly Information Disclosure Vulnerability in Participant API Leaks Names and Emails Despite Pro Privacy Settings",
    "source": "GitHub_M",
    "references": "https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg\nhttps://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963\nhttps://github.com/lukevella/rallly/releases/tag/v4.5.6",
    "id": "CVE-2025-66027",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-284",
        "CWE-359"
    ],
    "cvelist": null,
    "sourceData": "lukevella rallly < 4.5.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rallly",
    "version": "< 4.5.6",
    "vendor": "lukevella",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Rallly Information Disclosure Vulnerability in Participant API Leaks Names and Emails Despite Pro Privacy Settings_CVE-2025-66027