CVE-2025-66027 is an information disclosure vulnerability identified in the open-source scheduling and collaboration tool Rallly, versions prior to 4.5.6. The flaw resides in the API endpoints /api/trpc/polls.get and polls.participants.list, which improperly expose participant details including names and email addresses. This occurs even when Rallly’s Pro privacy features are enabled, effectively bypassing intended privacy controls designed to restrict access to personal information. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information), CWE-284 (Improper Access Control), and CWE-359 (Exposure of Private Information Through Persistent URL). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - limited privileges), no user interaction (UI:N), and high confidentiality impact (VC:H), with no impact on integrity or availability. This means an attacker with limited privileges can remotely exploit the vulnerability without user interaction to access sensitive participant data. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk to user privacy and data protection compliance. The issue was reserved on 2025-11-21 and published on 2025-11-29, with a patch released in version 4.5.6 to remediate the flaw by enforcing proper access controls and privacy enforcement on the affected API endpoints.

For European organizations, this vulnerability poses a significant risk of unauthorized disclosure of personal data, including participant names and email addresses. Such exposure can lead to privacy violations, reputational damage, and potential regulatory penalties under GDPR, which mandates strict protection of personal information. Organizations using Rallly for scheduling and collaboration may inadvertently leak sensitive user data to unauthorized parties, undermining trust and potentially facilitating phishing or social engineering attacks. The impact is particularly critical for sectors handling sensitive or regulated data, such as healthcare, finance, and government agencies. Additionally, the breach of privacy controls could lead to non-compliance with European data protection laws, resulting in fines and legal consequences. Since the vulnerability requires only limited privileges and no user interaction, it can be exploited relatively easily by insiders or attackers who gain minimal access, increasing the threat surface.

The primary mitigation is to upgrade all Rallly instances to version 4.5.6 or later, where the vulnerability is patched. Organizations should immediately audit their deployments to identify affected versions and apply updates without delay. Additionally, review and tighten access control policies to ensure that only authorized users have access to participant data. Implement network segmentation and monitoring to detect unusual API access patterns. Consider disabling or restricting API endpoints that expose participant information if not essential. Conduct privacy impact assessments to evaluate exposure risks and ensure compliance with GDPR. Educate users and administrators about the risks of information disclosure and enforce strong authentication and authorization mechanisms. Finally, maintain an incident response plan to address potential data leaks promptly.