CVE-2025-65020 is a vulnerability classified under CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization) affecting the open-source scheduling and collaboration platform Rallly. The flaw exists in the poll duplication API endpoint (/api/trpc/polls.duplicate) in versions before 4.5.4. Specifically, the endpoint fails to properly verify whether the authenticated user has the right to duplicate a given poll. By modifying the pollId parameter, an attacker with any authenticated account can duplicate polls owned by other users, including private or administrative polls. This bypasses intended access controls and can lead to unauthorized exposure or replication of sensitive scheduling data. The vulnerability is remotely exploitable over the network without requiring elevated privileges or user interaction, making it relatively easy to exploit in environments where Rallly is deployed and accessible. The CVSS 3.1 base score is 6.5, reflecting a medium severity due to the confidentiality and integrity impact but no direct availability impact. Although no active exploits have been reported, the vulnerability poses a risk to organizations relying on Rallly for confidential scheduling and collaboration. The issue was addressed in Rallly version 4.5.4 by implementing proper authorization checks on the poll duplication endpoint to ensure only owners or authorized users can duplicate polls.

For European organizations, this vulnerability could lead to unauthorized duplication and potential exposure of private or administrative scheduling information. Such data might include sensitive meeting details, participant lists, or strategic planning sessions, which if leaked or misused, could compromise confidentiality and organizational integrity. The impact is particularly significant for sectors with strict data privacy requirements such as finance, healthcare, and government institutions. Unauthorized duplication could also facilitate further social engineering or insider threat activities by revealing internal collaboration patterns. While the vulnerability does not directly impact system availability, the breach of confidentiality and integrity could lead to reputational damage, regulatory penalties under GDPR, and operational disruptions if sensitive information is mishandled. Organizations using Rallly in multi-tenant or public-facing environments are at higher risk due to the ease of exploitation by any authenticated user.

The primary mitigation is to upgrade Rallly installations to version 4.5.4 or later, where the vulnerability is patched. Organizations should audit their current Rallly deployments to identify affected versions and apply updates promptly. Additionally, implement strict access controls and monitoring on the Rallly application, including limiting user authentication to trusted personnel and enforcing strong authentication mechanisms. Review and restrict API access permissions to minimize exposure of sensitive endpoints. Employ logging and alerting on suspicious poll duplication activities to detect potential exploitation attempts. For environments where immediate patching is not feasible, consider network-level restrictions to limit access to the Rallly service or deploy web application firewalls (WAFs) with custom rules to detect and block unauthorized pollId parameter manipulations. Finally, educate users about the risks of unauthorized data duplication and encourage reporting of unusual application behavior.