CVE-2025-65031 MEDIUM

CVE-2025-65031: Rallly Improper Authorization in Comment Endpoint Allows User Impersonation

Vendor Lukevella

Product rallly

Weakness CWE-285

Published November 19, 2025

Last update November 19, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4.

Key dates

02Disclosure timeline

November 19, 2025 CVE published

November 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-65031

Related vulnerabilities

CVE-2025-65031: Rallly Improper Authorization in Comment Endpoint Allows User Impersonation

01Description

02Disclosure timeline

03References

04Related CVE