CVE-2025-65030 identifies an improper authorization vulnerability (CWE-285) in Rallly, an open-source scheduling and collaboration platform. The vulnerability exists in the comment deletion API endpoint, which prior to version 4.5.4, only requires a comment ID to delete a comment without verifying if the requesting user owns the comment or has the necessary permissions. This flaw allows any authenticated user to delete comments authored by others, including those from poll owners and administrators, undermining the integrity and trustworthiness of collaborative discussions. The root cause is the lack of proper authorization checks on the deletion operation, compounded by reliance solely on the comment ID parameter. The vulnerability also relates to CWE-639, indicating improper validation of input leading to authorization bypass. The CVSS v3.1 base score is 7.1, with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, meaning the attack can be performed remotely over the network with low complexity, requires low privileges (authenticated user), no user interaction, and impacts integrity highly with some availability impact. No known exploits are reported in the wild, but the flaw poses a significant risk to collaboration integrity and availability of comments. The issue was patched in Rallly version 4.5.4 by implementing proper authorization checks to ensure only comment owners or users with appropriate permissions can delete comments.

For European organizations, this vulnerability can lead to unauthorized deletion of comments within Rallly, potentially disrupting scheduling and collaboration workflows. This can cause loss of critical communication, miscoordination, and reduced trust among users, especially in environments relying heavily on Rallly for team collaboration or public event planning. The integrity of collaborative data is compromised, which may affect decision-making processes and operational efficiency. Although availability impact is limited, repeated abuse could degrade user experience and trust in the platform. Organizations in sectors such as education, public administration, and NGOs that use open-source collaboration tools may face operational challenges. Furthermore, if administrators' comments are deleted, it could hinder governance and moderation capabilities. While no direct confidentiality impact is noted, the integrity and availability impacts are significant enough to warrant urgent remediation.

European organizations using Rallly should immediately upgrade to version 4.5.4 or later, where the vulnerability is patched. Until upgrading, restrict access to the comment deletion API by implementing additional access controls at the network or application layer, such as IP whitelisting or web application firewalls that can detect and block unauthorized deletion attempts. Conduct audits of comment deletion logs to detect suspicious activity. Educate users and administrators about the risk and encourage monitoring for unexpected comment removals. For organizations deploying Rallly internally, consider isolating the service behind VPNs or internal networks to limit exposure. Implement role-based access controls (RBAC) and ensure that only trusted users have deletion privileges. Regularly review and update permissions and monitor for unusual API usage patterns. Finally, maintain an incident response plan to quickly address any exploitation attempts.