CVE-2025-65032 is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639, affecting Rallly, an open-source scheduling and collaboration platform. Prior to version 4.5.4, the application fails to properly authorize requests to rename poll participants. Specifically, any authenticated user can manipulate the participantId parameter in a rename request to change the display names of other users in a poll, even if they are not the poll owner or an administrator. This bypasses intended access controls, violating data integrity by allowing unauthorized modification of user-visible information. The flaw does not expose confidential data or disrupt availability but can cause confusion, misattribution, or impersonation within collaborative environments. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated user), no user interaction, and unchanged scope. No known exploits are currently reported in the wild. The issue was addressed and patched in Rallly version 4.5.4 by enforcing proper authorization checks on participant rename operations.

For European organizations, this vulnerability primarily threatens data integrity within collaborative scheduling environments. Unauthorized renaming of participants can lead to confusion, miscommunication, and potential impersonation, undermining trust in the tool and complicating coordination efforts. In sectors where accurate participant identification is critical—such as healthcare, finance, or government—this could have operational repercussions or facilitate social engineering attacks. While confidentiality and availability are not directly impacted, the integrity breach can indirectly affect decision-making and workflow efficiency. Organizations relying on Rallly for internal or external collaboration risk reputational damage and reduced user confidence if this vulnerability is exploited. The requirement for authentication limits exposure to internal or trusted users, but insider threats or compromised accounts could leverage this flaw.

The primary mitigation is to upgrade Rallly to version 4.5.4 or later, where the vulnerability is patched. Organizations should audit their deployments to identify affected versions and prioritize timely updates. Additionally, implement strict access controls and monitoring on user accounts to reduce the risk of compromised credentials being used to exploit this flaw. Employ logging and alerting on participant rename actions to detect anomalous behavior indicative of exploitation attempts. Educate users about the risks of impersonation and encourage verification of participant identities through secondary channels when critical decisions depend on poll outcomes. For environments where immediate patching is not feasible, consider restricting poll participant rename permissions to trusted roles or disabling rename functionality temporarily. Regularly review and test authorization mechanisms in collaboration tools to prevent similar IDOR vulnerabilities.