Unrated severityNVD Advisory· Published Nov 19, 2025· Updated Nov 19, 2025
Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users’ Names
CVE-2025-65032
Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user’s name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/lukevella/rallly/releases/tag/v4.5.4mitrex_refsource_MISC
- github.com/lukevella/rallly/security/advisories/GHSA-q9m7-chfx-43xwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.