No way it's real: using specific URLs with a NO_ROLE provide access to the dashboard of the FIFA worldcup 2026.

The whole thing boils down to one architectural mistake: client-side authorization with no server-side enforcement.

FIFA's internal applications use Microsoft Entra for authentication and role-based access control. The Angular/React/Vue frontends check the JWT token for role claims and render access-denied pages accordingly. But the backend APIs trust any authenticated tenant member and serve data regardless of roles.

Rules to follow:

• Get a security.txt file. Seriously. It's 2026.
• Publish a VDP (Vulnerability Disclosure Policy). You're running the biggest sporting event on earth.
• Client-side authorization is not authorization. Every intern learns this.
• When a researcher has to call CISA and the FBI to reach you, something is wrong.
• Start a bug bounty program. Researchers shouldn't have to call the FBI to do you a favor.