CVE-2025-65028 identifies an improper authorization vulnerability (CWE-285) in Rallly, an open-source scheduling and collaboration platform. The flaw exists in versions prior to 4.5.4, where the backend API uses the participantId parameter to identify votes to update without verifying if the authenticated user owns the participantId or has permission to modify those votes. This insecure direct object reference (IDOR) vulnerability allows any authenticated user to alter other participants' poll votes arbitrarily, thereby compromising the integrity of poll results. The vulnerability stems from missing authorization checks and insufficient validation of user privileges before processing vote updates. Although the vulnerability does not expose confidential data or impact availability, it directly affects the integrity of collaborative decision-making data. The CVSS 3.1 base score of 6.5 reflects the network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). No known exploits are reported in the wild as of publication. The issue was reserved on 2025-11-13 and published on 2025-11-19, with the vendor releasing a patch in version 4.5.4 to enforce proper authorization checks. This vulnerability is categorized under CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization).

For European organizations, this vulnerability poses a risk to the integrity of collaborative scheduling and polling processes, which can undermine trust in decision-making outcomes. Organizations relying on Rallly for internal or external coordination may experience manipulated poll results, potentially leading to incorrect scheduling, resource allocation, or consensus decisions. Although the vulnerability does not affect confidentiality or availability, the integrity compromise can disrupt workflows and damage organizational credibility. In sectors where collaborative tools influence critical decisions—such as government agencies, educational institutions, and large enterprises—the impact could be more pronounced. Additionally, the ease of exploitation by any authenticated user increases the risk of insider threats or compromised accounts being leveraged to manipulate poll data. The absence of known exploits in the wild suggests limited immediate risk, but the medium CVSS score and straightforward attack vector warrant prompt remediation to prevent potential abuse.

The primary mitigation is to upgrade Rallly installations to version 4.5.4 or later, where the vulnerability is patched by enforcing proper authorization checks on vote modification requests. Organizations should audit their current Rallly deployments to identify affected versions and prioritize patching. Additionally, implement strict access controls and monitoring for authenticated users to detect unusual voting activity or unauthorized modifications. Employ logging and alerting mechanisms to track poll vote changes and participantId usage patterns. Where possible, restrict poll modification capabilities to trusted roles or users and consider multi-factor authentication to reduce the risk of compromised accounts. Conduct regular security reviews of collaboration tools and validate that authorization checks are consistently applied across all APIs. Finally, educate users about the importance of account security to mitigate insider threats.