A significant flaw in the API of Schemata, an AI-driven virtual training platform engaged with the Department of Defense (DoD), has recently put sensitive military training data and personnel records at risk. The zero-authorization vulnerability was identified by the AI hacking agent Strix, revealing that low-privileged accounts could access cross-tenant data across the platform.
Understanding the Vulnerability
The breach was a result of insufficient authorization boundaries and a lack of tenant isolation within Schemata’s API. Strix’s analysis showed that low-privileged accounts could replay high-value endpoints simply using a regular session, as the API lacked proper organizational and permission checks. This oversight allowed the global exposure of data rather than restricting it to specific accounts.
Moreover, the absence of authorization checks on routes that allowed data modification posed a threat, enabling potential malicious activities like altering or erasing training materials.
Extent of the Data Exposure
The vulnerability posed a severe operational security risk. Through a user-listing endpoint, unprivileged accounts could access comprehensive user information, including names, emails, enrollment details, and military base locations. Such exposure increases the likelihood of targeted phishing and doxing attacks on military personnel.
In addition to personal information, the breach exposed metadata and AWS S3 links to confidential training manuals, including proprietary naval training courses and Army manuals on ordnance handling.
Response and Compliance Challenges
Strix reported the vulnerability to Schemata on December 2, 2025, but the issue remained unresolved for several months. It was only after a final notice of impending publication that Schemata acknowledged the problem and implemented an immediate patch on May 1, 2026. Strix has since verified that the vulnerability has been rectified.
For defense contractors, maintaining API security is crucial due to federal regulations such as DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC). These regulations mandate cybersecurity measures and breach reporting for contractors handling Controlled Unclassified Information (CUI).
Given the severity of the breach, stakeholders in the defense sector are advised to review access logs, determine the duration of exposure, and ensure that affected individuals are informed.
Stay updated on cybersecurity developments by following us on Google News, LinkedIn, and X. Contact us to share your stories.
