CVE-2025-65033

HIGH

rallly < 4.5.4 - Authenticated Authorization Bypass in Poll Management

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-65033. PoCs published by alaeddine03.

AI-analyzed exploit summary The repository describes an Insecure Direct Object Reference (IDOR) vulnerability in Rallly, where authenticated users can pause or resume any poll without proper ownership verification. The issue was patched in version 4.5.4.

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.

Exploits (1)

github WRITEUP
by alaeddine03 · poc
https://github.com/alaeddine03/CVE-Disclosures/tree/main/Rallly/CVE-2025-65033

The repository describes an Insecure Direct Object Reference (IDOR) vulnerability in Rallly, where authenticated users can pause or resume any poll without proper ownership verification. The issue was patched in version 4.5.4.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Rallly < 4.5.4
Auth required
Prerequisites: Authenticated user access
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 8.1
EPSS 0.0028
EPSS Percentile 19.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-639 CWE-285
Status published
Products (1)
rallly/rallly < 4.5.4
Published Nov 19, 2025
Tracked Since Feb 18, 2026