Unrated severityNVD Advisory· Published Nov 19, 2025· Updated Nov 19, 2025
Rallly Has an IDOR Vulnerability in Vote Update Endpoint Allows Unauthorized Manipulation of Participant Votes
CVE-2025-65028
Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity. This issue has been patched in version 4.5.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/lukevella/rallly/releases/tag/v4.5.4mitrex_refsource_MISC
- github.com/lukevella/rallly/security/advisories/GHSA-pchc-v5hg-f5gpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.