CVE-2025-65034 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Rallly scheduling and collaboration tool maintained by lukevella. The vulnerability exists in versions prior to 4.5.4 and allows any authenticated user to reopen finalized polls that belong to other users by manipulating the pollId parameter in API requests or the user interface. This improper authorization check fails to verify ownership or permission before allowing the reopening action. The consequence is that unauthorized users can alter the state of polls, disrupting event scheduling and collaboration workflows. This compromises the integrity of poll data and availability of finalized events, potentially causing confusion or operational delays. The vulnerability has a CVSS v3.1 score of 8.1, indicating high severity, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (authenticated user), no user interaction, and unchanged scope. Although no exploits have been reported in the wild, the flaw is straightforward to exploit by any authenticated user, making it a significant risk for organizations using affected versions. The issue was addressed and patched in Rallly version 4.5.4 by implementing proper authorization checks to ensure only poll owners or authorized users can reopen finalized polls.

For European organizations, this vulnerability can lead to unauthorized manipulation of event scheduling data, causing disruption in collaborative workflows and event management. The integrity of poll results is compromised as unauthorized users can reopen and potentially alter finalized polls. This can result in operational inefficiencies, loss of trust among users, and potential cascading effects on dependent business processes or decision-making. Availability is also impacted since finalized events can be reopened and changed, leading to confusion and scheduling conflicts. Organizations relying on Rallly for critical scheduling, especially in sectors like education, public administration, or collaborative project management, may face significant operational disruptions. The requirement for authenticated access limits exposure to internal or trusted users, but insider threats or compromised accounts could exploit this vulnerability. Given the open-source nature of Rallly, organizations using customized or self-hosted deployments must ensure timely patching to avoid exploitation.

The primary mitigation is to upgrade all Rallly instances to version 4.5.4 or later, where the authorization bypass vulnerability has been fixed. Organizations should audit their current Rallly deployments to identify affected versions and prioritize patching accordingly. Implement strict access controls and monitor authenticated user activities related to poll management to detect unauthorized reopening of polls. Consider integrating additional logging and alerting mechanisms for poll state changes to quickly identify suspicious behavior. For self-hosted environments, review and harden API endpoint authorization logic to prevent manipulation of parameters like pollId by unauthorized users. Educate users and administrators about the risk of insider threats and the importance of safeguarding credentials. If immediate patching is not feasible, restrict Rallly access to trusted networks or VPNs to reduce exposure. Regularly review and update user permissions to ensure only authorized personnel can manage polls and events.