CVE-2025-65029 is an improper authorization vulnerability classified under CWE-285, CWE-639, and CWE-862 affecting Rallly, an open-source scheduling and collaboration platform. The flaw exists in versions prior to 4.5.4, where the deletion of poll participants is authorized solely based on the participant ID parameter without verifying if the requesting user owns the poll or has sufficient privileges. This insecure direct object reference (IDOR) allows any authenticated user to delete arbitrary participants, including poll owners, from any poll. The vulnerability impacts the integrity and availability of poll data by enabling unauthorized modifications and potential denial of service. The attack vector is network-based, requiring only low privileges (authenticated user) and no user interaction beyond authentication. The CVSS v3.1 score is 8.1 (high), reflecting the ease of exploitation and significant impact on integrity and availability. The issue was publicly disclosed on November 19, 2025, and patched in Rallly version 4.5.4. No known exploits are currently reported in the wild. This vulnerability highlights the importance of proper access control and ownership verification in collaborative applications to prevent unauthorized data manipulation.

For European organizations, this vulnerability threatens the integrity and availability of collaborative scheduling data, potentially disrupting business operations reliant on poll-based decision-making. Unauthorized deletion of participants can cause confusion, loss of critical scheduling information, and denial of service to legitimate users. Organizations using Rallly for internal or external collaboration may face operational delays and reduced trust in their scheduling tools. The impact is particularly significant for sectors with high reliance on collaborative planning, such as technology firms, educational institutions, and public sector agencies. Additionally, the vulnerability could be exploited to target high-profile polls or meetings, causing reputational damage. Since exploitation requires only authenticated access, insider threats or compromised user accounts increase risk. The lack of confidentiality impact limits data leakage concerns, but integrity and availability impacts remain substantial.

The primary mitigation is to upgrade all Rallly instances to version 4.5.4 or later, where the authorization flaw has been fixed by implementing proper ownership verification before allowing participant deletions. Organizations should audit current poll management permissions and restrict deletion capabilities to poll owners or designated administrators only. Implementing multi-factor authentication (MFA) can reduce the risk of compromised accounts being used to exploit this vulnerability. Monitoring and logging deletion events can help detect suspicious activity. Additionally, organizations should educate users about the importance of safeguarding credentials and promptly apply security patches. For environments where immediate upgrade is not possible, applying web application firewalls (WAFs) with rules to detect and block unauthorized deletion requests based on participant IDs may provide temporary protection. Regular security assessments of collaboration tools should be conducted to identify similar authorization issues.