CVE-2025-65021 is an improper authorization vulnerability classified under CWE-285, affecting Rallly, an open-source scheduling and collaboration platform. The flaw exists in the poll finalization feature prior to version 4.5.4, where the application fails to properly verify ownership of polls before allowing finalization. Specifically, an authenticated user can manipulate the pollId parameter in the finalization request to finalize polls created by other users. This Insecure Direct Object Reference (IDOR) vulnerability enables unauthorized users to convert others' polls into finalized events, potentially disrupting user workflows and causing data integrity and availability issues. The vulnerability does not require elevated privileges beyond authentication and no user interaction beyond sending crafted requests. The CVSS v3.1 base score is 9.1 (critical), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on integrity and availability. Although no public exploits are reported, the vulnerability poses a significant risk to organizations relying on Rallly for scheduling and collaboration. The issue was patched in version 4.5.4, which implements proper authorization checks to ensure only poll owners can finalize their polls.

For European organizations, this vulnerability can lead to unauthorized modification of scheduling data, disrupting collaboration and event planning workflows. The ability for any authenticated user to finalize others' polls can cause confusion, scheduling conflicts, and loss of trust in the platform’s data integrity. This may impact productivity, especially in organizations relying heavily on Rallly for remote or hybrid work coordination. Additionally, the disruption of availability of accurate scheduling information could affect critical business operations and decision-making processes. Since Rallly is open-source and may be self-hosted, organizations with less mature patch management processes are at higher risk. The vulnerability could also be leveraged as part of a broader attack chain to cause operational disruption or to undermine organizational collaboration efforts.

European organizations using Rallly should immediately upgrade to version 4.5.4 or later, where the vulnerability is patched. For environments where immediate upgrading is not feasible, implement strict access controls and monitoring around the poll finalization functionality to detect and block unauthorized attempts. Employ web application firewalls (WAFs) with custom rules to inspect and validate pollId parameters against user ownership where possible. Conduct thorough audits of user permissions and authentication mechanisms to ensure no excessive privileges are granted. Educate users about the importance of reporting unexpected poll finalizations. Additionally, integrate Rallly instances into centralized logging and SIEM solutions to detect anomalous activities related to poll finalization. Regularly review and test authorization logic in custom deployments or forks of Rallly to prevent similar issues.