Unrated severityNVD Advisory· Published Nov 29, 2025· Updated Dec 1, 2025

Rallly Information Disclosure Vulnerability in Participant API Leaks Names and Emails Despite Pro Privacy Settings

CVE-2025-66027

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.

Affected products

Lukevella/Ralllyv5
Range: < 4.5.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963mitrex_refsource_MISC
github.com/lukevella/rallly/releases/tag/v4.5.6mitrex_refsource_MISC
github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fgmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000