CVE-2025-65030 is an authorization vulnerability classified under CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the open-source scheduling and collaboration platform Rallly. Prior to version 4.5.4, the comment deletion API endpoint relies solely on the comment ID to authorize deletion requests without verifying whether the requesting user owns the comment or has the necessary permissions. This design flaw allows any authenticated user to delete comments created by other users, including those posted by poll owners and administrators, thereby compromising the integrity of collaborative discussions. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The CVSS v3.1 base score is 7.1, reflecting high severity due to the significant integrity impact (I:H) and limited availability impact (A:L), while confidentiality remains unaffected (C:N). The flaw has been addressed in Rallly version 4.5.4 by implementing proper authorization checks to ensure only authorized users can delete comments. No public exploits have been reported yet, but the vulnerability’s nature makes it a potential target for misuse in environments where Rallly is deployed for scheduling and collaboration.

For European organizations, this vulnerability poses a risk to the integrity of collaborative scheduling and communication workflows. Unauthorized deletion of comments can disrupt meeting planning, cause loss of critical information, and potentially undermine trust among users. In environments where Rallly is used for coordinating sensitive or critical operations, such as governmental agencies, healthcare, or financial institutions, the impact could extend to operational disruptions and reputational damage. Although the vulnerability does not directly affect confidentiality or cause significant availability loss, the integrity compromise could facilitate social engineering or insider threat activities by manipulating discussion records. The requirement for authentication limits exposure to internal or compromised users, but given the collaborative nature of Rallly, many users typically have accounts, increasing the attack surface. Organizations relying on Rallly for cross-team or cross-organization scheduling should be particularly vigilant.

The primary mitigation is to upgrade all Rallly instances to version 4.5.4 or later, where the authorization flaw has been fixed. Organizations should implement strict access control policies and audit logs for comment deletion activities to detect unauthorized attempts. Employing multi-factor authentication can reduce the risk of compromised accounts being used to exploit this vulnerability. Additionally, organizations should review user roles and permissions within Rallly to ensure the principle of least privilege is enforced. Network segmentation and monitoring of API endpoints for anomalous deletion requests can help detect exploitation attempts. If immediate upgrade is not feasible, consider disabling the comment deletion feature or restricting it to trusted users via custom patches or configuration changes. Regular security assessments and penetration testing focusing on authorization controls in collaboration tools are recommended to prevent similar issues.