CVE-2025-65020 is a medium-severity vulnerability classified under CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization). It affects Rallly, an open-source scheduling and collaboration platform, specifically versions prior to 4.5.4. The vulnerability exists in the poll duplication endpoint (/api/trpc/polls.duplicate), where the pollId parameter is insufficiently validated. Authenticated users can modify this parameter to duplicate polls they do not own, effectively bypassing access control mechanisms. This leads to unauthorized cloning of private or administrative polls, potentially exposing sensitive scheduling information or enabling unauthorized manipulation of poll data. The vulnerability requires no user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS vector indicates low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N), but the scope remains unchanged (S:U). The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). Although no known exploits have been reported in the wild, the vulnerability poses a risk to organizations relying on Rallly for sensitive scheduling or collaboration tasks. The issue was publicly disclosed on November 19, 2025, and patched in version 4.5.4. Organizations should upgrade to this version or later to remediate the vulnerability.

For European organizations, this vulnerability could lead to unauthorized disclosure and manipulation of sensitive scheduling information, potentially affecting internal planning, resource allocation, or confidential meetings. The ability to clone private or administrative polls without proper authorization undermines trust in the scheduling platform and could facilitate further social engineering or insider threats. While the vulnerability does not directly impact system availability, the confidentiality and integrity breaches could have operational and reputational consequences, especially for organizations handling sensitive or regulated data. Collaboration platforms are often integral to business continuity; thus, exploitation could disrupt workflows or expose strategic information. The medium severity reflects a moderate risk that should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

European organizations using Rallly should immediately upgrade to version 4.5.4 or later, where the vulnerability is patched. Until upgrade, implement strict access controls and monitor API usage for anomalous poll duplication requests. Employ logging and alerting on poll duplication endpoints to detect unauthorized attempts. Conduct an audit of existing polls to identify any unauthorized clones created prior to patching. Consider restricting poll duplication functionality to trusted roles or users, if possible, via configuration or custom access controls. Additionally, enforce strong authentication mechanisms to prevent unauthorized access to the platform. Educate users about the risks of sharing poll links or credentials. Finally, integrate vulnerability scanning and patch management processes to ensure timely updates of open-source tools like Rallly.