Bottom line: A missing authorization check in backend APIs allowed unauthorized users to access critical streaming and match data systems for the 2026 World Cup through FIFA’s public agents portal.
A security researcher under the pseudonym Bobdahacker discovered a critical vulnerability in FIFA’s infrastructure that enabled newly registered users without permissions to access internal systems — including live streaming panels and match management functions for the 2026 World Cup.
The vulnerability affected the public FIFA Agent Platform Portal (agents.fifa.org), through which football agents apply for accreditation. Upon registration, new accounts were automatically added to FIFA’s Microsoft Entra Identity Tenant — the same tenant that secures all of FIFA’s internal platforms. This theoretically enabled registered users to access all systems dependent on it.
The researcher discovered that client-side access control in the Angular application protected the Football Data Platform by blocking accounts marked with a NO_ROLES flag. However, the underlying APIs did not validate these permissions. Through direct API access, the researcher gained access to a live streaming management panel for the 2026 World Cup containing streaming configurations, RTMP endpoints, stream keys, and controls to start, stop, or schedule broadcasts. Additionally accessible were a live match dashboard, competition management tools, the Commentator Information System (which provides broadcasters with live statistics), and a Microsoft Azure development environment with metadata on revenues, transfers, and referees.
Via write permissions in match management functions, unauthorized users could have manipulated live statistics, commentary, tactical lineups, and match data. The researcher emphasized that these controls were functional but had not been deliberately activated. The vulnerability was reported through multiple FIFA channels and patched shortly thereafter. FIFA has not made a public statement on the matter to date.
Source: www.it-daily.net · Published 20 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.