CVE-2025-65033 is an authorization vulnerability classified under CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key). It affects Rallly, an open-source scheduling and collaboration platform, in all versions prior to 4.5.4. The vulnerability arises because the poll management feature relies solely on a public pollId to identify polls without verifying whether the authenticated user performing actions like pausing or resuming a poll is the poll owner. This lack of ownership verification allows any authenticated user to manipulate polls created by others, undermining the integrity and availability of poll data. The vulnerability does not disclose confidential information but enables unauthorized modification of poll states, which can disrupt collaborative workflows and scheduling activities. The CVSS v3.1 score is 8.1 (high), reflecting network exploitability (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and high availability impact (A:H). No known exploits are currently reported in the wild. The issue was publicly disclosed on November 19, 2025, and fixed in Rallly version 4.5.4. Organizations using vulnerable versions should prioritize patching to restore proper authorization controls and prevent unauthorized poll manipulation.

For European organizations, this vulnerability can lead to significant disruption in collaborative scheduling and decision-making processes, particularly in environments relying on Rallly for team coordination. The unauthorized ability to pause or resume polls can cause confusion, delay decisions, and reduce trust in the scheduling platform’s reliability. While no direct data confidentiality breach occurs, the integrity and availability of poll data are compromised, potentially impacting business operations and productivity. Organizations with distributed teams or those heavily dependent on open-source collaboration tools may experience amplified operational impacts. Additionally, the ease of exploitation by any authenticated user increases the risk of insider threats or compromised accounts being leveraged to disrupt workflows. This could be particularly problematic in sectors such as government, education, and technology, where collaborative scheduling is critical.

The primary mitigation is to upgrade all Rallly instances to version 4.5.4 or later, where the authorization flaw has been corrected. Organizations should audit current deployments to identify any running vulnerable versions. Additionally, implement strict access controls and monitoring for authenticated users to detect unusual poll management activities. Consider integrating multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. Review and enforce role-based access controls (RBAC) within Rallly or the surrounding infrastructure to limit poll management capabilities to authorized personnel only. Regularly monitor logs for unauthorized poll state changes and establish incident response procedures to quickly address detected misuse. Finally, educate users about the importance of safeguarding credentials to prevent exploitation by unauthorized parties.