CVE-2025-65033 HIGH

CVE-2025-65033: Rallly Broken Authorization: Any User Can Pause or Resume Any Poll via Poll ID Manipulation

Vendor Lukevella
Product rallly
Weakness CWE-285
Published November 19, 2025
Last update November 19, 2025
View on NVD All CVEs

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.

Key dates

02Disclosure timeline

November 19, 2025 CVE published
November 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-0609 Improper Authorization in wallabag/wallabag CVE-2023-3574 Improper Authorization in pimcore/customer-data-framework CVE-2023-1910 Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint CVE-2023-0813 Network-observability-console-plugin-container: setting loki authtoken configuration to disable or host mode leads to authentication longer being enforced CVE-2023-27594 Cilium vulnerable to potential network policy bypass when routing IPv6 traffic