CVE-2025-65028 in rallly
Summary
by MITRE • 11/19/2025
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity. This issue has been patched in version 4.5.4.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability identified as CVE-2025-65028 affects Rallly, an open-source scheduling and collaboration platform that enables users to create polls and manage participant votes. This security flaw represents a critical insecure direct object reference (IDOR) vulnerability that undermines the integrity of poll data within the application. The issue stems from the application's insufficient validation mechanisms that fail to verify ownership or authorization when processing participant vote modifications. Prior to version 4.5.4, any authenticated user could exploit this weakness to manipulate poll results by directly modifying votes belonging to other participants, fundamentally compromising the trustworthiness of the scheduling system. The vulnerability manifests because the backend service relies exclusively on the participantId parameter to determine which specific votes to update, without implementing proper access control checks or permission verification. This design flaw creates a direct pathway for unauthorized data manipulation that directly violates fundamental security principles of access control and data integrity.
The technical implementation of this vulnerability demonstrates a clear failure in the application's authorization logic where the system accepts user-provided identifiers without validating that the authenticated user has legitimate rights to modify the target resource. The participantId parameter serves as the sole reference point for identifying which votes to update, creating an opportunity for attackers to craft malicious requests that target other users' votes. This type of vulnerability falls under CWE-284, which specifically addresses improper access control, and represents a classic example of how insufficient input validation can lead to privilege escalation and data manipulation. The attack vector is particularly concerning because it requires no elevated privileges beyond basic authentication, making it accessible to any user within the system who can identify valid participant identifiers. The vulnerability creates a scenario where an attacker can alter poll outcomes without detection, potentially influencing scheduling decisions and undermining the collaborative nature of the platform.
The operational impact of this vulnerability extends beyond simple data corruption to compromise the fundamental trust model of the scheduling platform. When authenticated users can manipulate poll results, the entire collaborative process becomes vulnerable to manipulation, potentially leading to incorrect scheduling decisions, resource allocation issues, and loss of confidence in the system's integrity. The vulnerability directly impacts the availability and reliability of the service by introducing potential for fraudulent activity that could go undetected for extended periods. Organizations relying on Rallly for scheduling and coordination activities face significant risks including potential legal implications from altered poll results, disruption of business processes, and damage to collaborative relationships. The issue also creates opportunities for social engineering attacks where malicious actors could exploit the vulnerability to influence group decisions in their favor, effectively bypassing the intended democratic nature of the polling system.
The remediation for CVE-2025-65028 requires implementing proper authorization checks that verify user ownership before allowing modifications to poll votes. The fix should enforce access control policies that validate whether the authenticated user has legitimate rights to modify specific participant votes, typically through session-based validation or token-based authorization mechanisms. This approach aligns with the principle of least privilege and ensures that all data modification requests undergo proper authentication and authorization verification. The patched version 4.5.4 addresses this by implementing robust access control checks that validate participant ownership before permitting vote updates, effectively closing the IDOR vulnerability. Organizations should also implement logging and monitoring of vote modification activities to detect potential unauthorized access attempts. The solution must be designed to prevent parameter tampering while maintaining system usability, ensuring that legitimate users can still participate in polls without unnecessary barriers to access. This type of vulnerability resolution demonstrates the importance of implementing comprehensive security controls during application development rather than addressing issues as they arise post-deployment.