BFLA — Broken Function Level Authorization

a non-admin reaches admin-only routes because authorisation was bolted on per-handler instead of built into the architecture. Verb asymmetry, the hidden-routes myth, role trust from headers, "internal" endpoints that aren't, staged-rollout leaks, and the centralised policy engine that ends it.