CVE-2025-65028 identifies an improper authorization vulnerability categorized under CWE-285, CWE-639, and CWE-862 in the open-source scheduling and collaboration tool Rallly, versions prior to 4.5.4. The vulnerability arises from an insecure direct object reference (IDOR) flaw where the backend API relies solely on the participantId parameter to determine which poll votes to update, without verifying whether the authenticated user owns or has permission to modify those votes. This lack of authorization checks allows any authenticated user to alter other participants’ votes arbitrarily, thereby compromising the integrity of poll results. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and privileges required are limited to authenticated user status (PR:L). The vulnerability does not impact confidentiality or availability but has a significant impact on data integrity (I:H). The flaw has been addressed and patched in Rallly version 4.5.4. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of proper authorization checks in multi-user collaborative applications to prevent unauthorized data manipulation.

For European organizations, the primary impact of this vulnerability lies in the potential manipulation of collaborative poll results, which can undermine trust in decision-making processes and collaborative workflows. Organizations relying on Rallly for scheduling or consensus-building may experience compromised data integrity, leading to incorrect or biased outcomes. This can affect internal project management, resource allocation, and stakeholder engagement. While the vulnerability does not expose sensitive data or disrupt service availability, the alteration of poll results can have cascading effects on operational efficiency and organizational governance. Public sector entities, NGOs, and community-driven projects in Europe that use open-source collaboration tools may be particularly vulnerable. The absence of known exploits reduces immediate risk, but the medium severity and ease of exploitation warrant prompt remediation to prevent potential misuse.

European organizations should immediately upgrade Rallly installations to version 4.5.4 or later, where the vulnerability has been patched. Until upgrades are applied, organizations should restrict access to Rallly instances to trusted users only and monitor poll modification activities for anomalies indicative of vote tampering. Implementing additional application-layer authorization controls or web application firewalls (WAFs) that can detect and block unauthorized API requests targeting participantId parameters may provide temporary protection. Organizations should also conduct audits of poll data integrity and educate users about the risks of unauthorized vote manipulation. For deployments integrated with identity and access management (IAM) systems, enforcing stricter role-based access controls (RBAC) can reduce the risk of exploitation. Regularly reviewing and updating security policies around collaborative tools is recommended to prevent similar authorization issues.