CVE-2025-65029 is an improper authorization vulnerability classified under CWE-285, CWE-639, and CWE-862, found in the open-source scheduling and collaboration tool Rallly, versions prior to 4.5.4. The vulnerability arises from an insecure direct object reference (IDOR) flaw in the poll participant deletion endpoint, which authorizes deletion requests solely based on the participant ID without verifying whether the requesting user owns the poll or has appropriate permissions. As a result, any authenticated user can delete arbitrary participants from any poll, including the poll owner, thereby compromising the integrity and availability of poll participation data. The vulnerability requires authentication but no additional user interaction, and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and the scope remains unchanged (S:U). The CVSS v3.1 base score is 8.1, reflecting high severity due to the impact on integrity and availability. Although no known exploits have been reported in the wild, the flaw poses a significant risk to organizations relying on Rallly for scheduling and collaboration. The issue was addressed in Rallly version 4.5.4 by implementing proper authorization checks to ensure only poll owners or authorized users can delete participants.

For European organizations, this vulnerability can lead to unauthorized manipulation of poll data, resulting in loss of trust in scheduling and collaboration processes. The integrity of poll participation is compromised, potentially causing confusion, missed meetings, or disrupted workflows. Availability is also affected as participants can be removed arbitrarily, potentially locking out legitimate users or poll owners. This can disrupt project management, team coordination, and decision-making processes. Organizations in sectors relying heavily on collaborative scheduling, such as IT, education, and public administration, may experience operational inefficiencies or reputational damage. Additionally, if Rallly is integrated with other internal systems, the impact could cascade, affecting broader organizational functions.

The primary mitigation is to upgrade all Rallly instances to version 4.5.4 or later, where the authorization flaw has been fixed. Organizations should audit existing poll data to detect unauthorized participant deletions and restore data integrity where possible. Implement strict access controls and monitor authenticated user actions related to poll management. Employ logging and alerting mechanisms to detect suspicious deletion activities. Consider restricting poll creation and management privileges to trusted users only. For organizations using customized or self-hosted versions, review and harden authorization logic around participant management endpoints. Regularly update and patch open-source tools to reduce exposure to known vulnerabilities. Finally, educate users about the importance of reporting unexpected poll changes promptly.