CVE-2025-65034 HIGH

CVE-2025-65034: Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId

Vendor Lukevella
Product rallly
Weakness CWE-639 · IDOR
Published November 19, 2025
Last update November 19, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4.

Key dates

02Disclosure timeline

November 19, 2025 CVE published
November 19, 2025 Record updated