CVE-2025-65028 MEDIUM

CVE-2025-65028: Rallly Has an IDOR Vulnerability in Vote Update Endpoint Allows Unauthorized Manipulation of Participant Votes

Vendor Lukevella
Product rallly
Weakness CWE-285
Published November 19, 2025
Last update November 19, 2025
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity. This issue has been patched in version 4.5.4.

Key dates

02Disclosure timeline

November 19, 2025 CVE published
November 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-2694 The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API CVE-2025-7778 Icons Factory <= 1.6.12 - Missing Authorization to Unauthenticated Arbitrary File Deletion via delete_files() Function CVE-2024-20441 Cisco Nexus Dashboard Fabric Controller Unauthorized API Endpoint Vulnerability CVE-2025-2360 D-Link DIR-823G UPnP Service HNAP1 SetUpnpSettings improper authorization CVE-2025-10980 JeecgBoot exportXls improper authorization