A recently disclosed vulnerability in the FIA Driver Categorisation portal allowed unauthorized users to escalate privileges and gain administrative access to sensitive Formula 1 driver information, including personal identification data.
The flaw was discovered by researchers Gal Nagli, Sam Curry, and Ian Carroll, who were testing supporting Formula 1 websites during a recent Grand Prix event. According to their disclosure, the bug stemmed from a mass assignment vulnerability in the portal’s user update endpoint.
The portal, which manages FIA’s Bronze, Silver, Gold, and Platinum driver categorizations, permitted account creation and document uploads for validation. However, an unvalidated “roles” parameter in a PUT request allowed attackers to modify their own user privileges, granting full administrative access.
Once escalated, the researchers could view sensitive FIA data, including passport information, resumes, and internal notes associated with licensed drivers such as Max Verstappen. “We stopped testing after confirming access to personal information and deleted all data,” the researchers said in their disclosure.
The vulnerability was responsibly reported to FIA on June 3, 2025. The organization took the affected site offline the same day and implemented a full fix by June 10, 2025. The issue was publicly disclosed on October 22, 2025, following standard coordinated disclosure practices.