CVE-2025-65034 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Rallly, an open-source scheduling and collaboration platform. The flaw exists in versions prior to 4.5.4, where the application fails to properly verify user permissions when reopening finalized polls. Specifically, any authenticated user can manipulate the pollId parameter in requests to reopen polls that belong to other users without proper authorization checks. This bypass allows unauthorized reopening of finalized polls, which can disrupt scheduled events, cause confusion among participants, and compromise the integrity and availability of poll data. The vulnerability does not affect confidentiality directly but impacts integrity and availability significantly. Exploitation requires the attacker to be authenticated but does not require additional user interaction, making it relatively easy to exploit within an organization. The issue was identified and patched in version 4.5.4, which enforces proper authorization checks on poll reopening operations. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 score is 8.1, reflecting high severity due to network attack vector, low attack complexity, required privileges, and no user interaction. The vulnerability's root cause is insufficient authorization validation when processing user-controlled keys (pollId), a common security weakness in web applications managing multi-user resources.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of collaborative scheduling data. Organizations relying on Rallly for event coordination may experience unauthorized reopening of finalized polls, leading to event disruptions, scheduling conflicts, and potential loss of trust among users. This can affect internal operations, customer-facing scheduling, and cross-organizational collaboration. The disruption could cascade into operational inefficiencies and reputational damage, especially for sectors dependent on precise scheduling such as healthcare, education, and public services. Since the vulnerability requires authentication, insider threats or compromised user accounts could be leveraged to exploit this flaw. The lack of confidentiality impact reduces risk of data leakage but does not diminish the operational impact. Given the open-source nature of Rallly, organizations using customized or self-hosted deployments may face challenges in timely patching, increasing exposure duration.

European organizations should immediately upgrade all Rallly instances to version 4.5.4 or later where the vulnerability is patched. In addition, organizations should audit user permissions and access controls related to poll management to ensure least privilege principles are enforced. Implement monitoring and alerting for unusual poll reopening activities, especially those initiated by users who do not own the polls. Consider network segmentation and access restrictions to limit authenticated user capabilities where possible. For self-hosted deployments, verify that all dependencies and integrations are compatible with the patched version to avoid operational disruptions. Conduct security awareness training to reduce risks from compromised credentials. Finally, maintain an incident response plan to quickly address any exploitation attempts or operational impacts stemming from this vulnerability.