CVE-2025-65021 is an authorization bypass vulnerability classified under CWE-285 (Improper Authorization), CWE-862 (Missing Authorization), and CWE-639 (Authorization Bypass Through User-Controlled Key). It affects Rallly, an open-source scheduling and collaboration platform, in versions prior to 4.5.4. The flaw resides in the poll finalization feature, where the application fails to properly verify that the authenticated user finalizing a poll is the poll owner. By manipulating the pollId parameter in the API or web request, any authenticated user can finalize polls created by others. This results in unauthorized conversion of polls into events, which can disrupt user workflows, cause data integrity issues, and impact availability of scheduling functions. The vulnerability is remotely exploitable over the network without requiring elevated privileges or user interaction beyond authentication. The CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) indicates a critical severity due to high impact on integrity and availability, with no confidentiality impact. Although no public exploits are currently known, the simplicity of exploitation and the critical nature of the flaw necessitate urgent remediation. The vendor addressed the issue in Rallly version 4.5.4 by implementing proper authorization checks on poll finalization requests.

For European organizations, this vulnerability poses significant risks to operational continuity and data integrity within collaborative scheduling environments. Unauthorized poll finalization can disrupt planned meetings and events, causing confusion and potential business process delays. In sectors relying heavily on coordinated scheduling—such as healthcare, education, and government—such disruptions could have amplified consequences. The integrity of scheduling data is compromised, potentially leading to mistrust in the platform and increased administrative overhead to verify and correct unauthorized changes. Availability of the scheduling service may also be affected if multiple polls are prematurely finalized, impacting user productivity. Since the vulnerability requires only authenticated access, insider threats or compromised user accounts could be leveraged to exploit this flaw. The lack of confidentiality impact reduces risk of data leakage but does not diminish the operational impact. Organizations using Rallly in critical workflows must act swiftly to mitigate these risks.

The primary mitigation is to upgrade all Rallly instances to version 4.5.4 or later, where the vulnerability is patched. Organizations should audit their current deployments to identify affected versions. In addition to patching, implement strict access controls and role-based permissions to limit poll creation and finalization capabilities to trusted users. Monitor logs and audit trails for unusual poll finalization activities, especially those initiated by users who do not own the polls. Employ network segmentation and application-layer firewalls to restrict access to the scheduling platform to authorized personnel only. Educate users about the importance of safeguarding their credentials to prevent exploitation by compromised accounts. For organizations unable to immediately upgrade, consider temporarily disabling the poll finalization feature or restricting it via configuration or custom access controls until patching is feasible. Regularly review and update incident response plans to include scenarios involving manipulation of collaborative scheduling tools.