CVE-2025-65032

MEDIUM

rallly < 4.5.4 - Authenticated Insecure Direct Object Reference via ParticipantId Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-65032. PoCs published by alaeddine03.

AI-analyzed exploit summary The repository describes an Insecure Direct Object Reference (IDOR) vulnerability in Rallly, allowing authenticated users to modify other participants' display names by manipulating the participantId parameter. The issue was patched in version 4.5.4.

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user’s name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4.

Exploits (1)

github WRITEUP
by alaeddine03 · poc
https://github.com/alaeddine03/CVE-Disclosures/tree/main/Rallly/CVE-2025-65032

The repository describes an Insecure Direct Object Reference (IDOR) vulnerability in Rallly, allowing authenticated users to modify other participants' display names by manipulating the participantId parameter. The issue was patched in version 4.5.4.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Rallly < 4.5.4
Auth required
Prerequisites: Authenticated user access
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 6.5
EPSS 0.0022
EPSS Percentile 12.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (1)
rallly/rallly < 4.5.4
Published Nov 19, 2025
Tracked Since Feb 18, 2026