CVE-2025-66027 is a high-severity information disclosure vulnerability affecting Rallly, an open-source scheduling and collaboration platform. The flaw exists in versions prior to 4.5.6 and involves improper access control on the API endpoints /api/trpc/polls.get and polls.participants.list. These endpoints expose participant information, including names and email addresses, even when Pro privacy features are enabled. The vulnerability arises from a failure to enforce authorization checks properly, allowing users with limited privileges to retrieve sensitive participant data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N) indicates that the vulnerability is remotely exploitable over the network without user interaction, requires low attack complexity, and only limited privileges, but results in high confidentiality impact. The issue compromises the confidentiality of personal data, violating privacy expectations and potentially breaching data protection regulations such as GDPR. Although no active exploits have been reported, the exposure of personally identifiable information (PII) can lead to targeted phishing, social engineering, or reputational damage. The vulnerability was publicly disclosed on November 29, 2025, and patched in Rallly version 4.5.6. Organizations using affected versions should prioritize patching to prevent unauthorized data exposure.

For European organizations, this vulnerability poses significant risks related to data privacy and regulatory compliance. Exposure of participant names and email addresses can lead to breaches of the EU General Data Protection Regulation (GDPR), resulting in legal penalties and fines. The leakage of PII undermines user trust and can facilitate further attacks such as phishing or identity theft. Collaboration platforms like Rallly are often used in corporate, educational, and governmental environments, so unauthorized access to participant data could expose sensitive internal communications or strategic information. The breach of confidentiality may also impact contractual obligations and damage organizational reputation. Since the vulnerability bypasses intended privacy controls, organizations relying on Pro privacy features may have a false sense of security. The impact is heightened in sectors with strict privacy requirements, including finance, healthcare, and public administration.

To mitigate this vulnerability, affected organizations must upgrade Rallly to version 4.5.6 or later, where the issue is patched. Until the upgrade can be applied, organizations should restrict access to the affected API endpoints by implementing network-level controls such as IP whitelisting or VPN access. Review and tighten user privilege assignments to ensure that only trusted users have access to scheduling and collaboration tools. Conduct audits of existing participant data exposure and notify affected users if a breach is suspected. Implement monitoring and alerting on unusual API access patterns to detect potential exploitation attempts. Additionally, organizations should review their data protection policies and ensure compliance with GDPR requirements, including data minimization and secure handling of personal information. Regularly update and patch all collaboration software to reduce exposure to known vulnerabilities.