CVE-2025-66027

MEDIUM

rallly < 4.5.6 - Unauthenticated Information Disclosure via API Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-66027. PoCs published by alaeddine03.

AI-analyzed exploit summary The repository describes an information disclosure vulnerability in Rallly (CVE-2025-66027) where participant names and emails are leaked via the `/api/trpc/polls.get,polls.participants.list` endpoint despite Pro privacy settings. The issue was patched in version 4.5.6.

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users’ personal information. This issue has been patched in version 4.5.6.

Exploits (1)

github WRITEUP
by alaeddine03 · poc
https://github.com/alaeddine03/CVE-Disclosures/tree/main/Rallly/CVE-2025-66027

The repository describes an information disclosure vulnerability in Rallly (CVE-2025-66027) where participant names and emails are leaked via the `/api/trpc/polls.get,polls.participants.list` endpoint despite Pro privacy settings. The issue was patched in version 4.5.6.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Rallly < 4.5.6
Auth required
Prerequisites: Access to the vulnerable Rallly instance · Valid participant credentials
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.5
EPSS 0.0030
EPSS Percentile 21.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-284 CWE-359 CWE-200
Status published
Products (1)
rallly/rallly < 4.5.6
Published Nov 29, 2025
Tracked Since Feb 18, 2026