Critical API Flaw Risks DoD Contractor Data Exposure

Critical API Flaw Risks DoD Contractor Data Exposure

Posted on By CWS

A significant flaw in the API of Schemata, an AI-driven virtual training platform engaged with the Department of Defense (DoD), has recently put sensitive military training data and personnel records at risk. The zero-authorization vulnerability was identified by the AI hacking agent Strix, revealing that low-privileged accounts could access cross-tenant data across the platform.

Understanding the Vulnerability

The breach was a result of insufficient authorization boundaries and a lack of tenant isolation within Schemata’s API. Strix’s analysis showed that low-privileged accounts could replay high-value endpoints simply using a regular session, as the API lacked proper organizational and permission checks. This oversight allowed the global exposure of data rather than restricting it to specific accounts.

Moreover, the absence of authorization checks on routes that allowed data modification posed a threat, enabling potential malicious activities like altering or erasing training materials.

Extent of the Data Exposure

The vulnerability posed a severe operational security risk. Through a user-listing endpoint, unprivileged accounts could access comprehensive user information, including names, emails, enrollment details, and military base locations. Such exposure increases the likelihood of targeted phishing and doxing attacks on military personnel.

In addition to personal information, the breach exposed metadata and AWS S3 links to confidential training manuals, including proprietary naval training courses and Army manuals on ordnance handling.

Response and Compliance Challenges

Strix reported the vulnerability to Schemata on December 2, 2025, but the issue remained unresolved for several months. It was only after a final notice of impending publication that Schemata acknowledged the problem and implemented an immediate patch on May 1, 2026. Strix has since verified that the vulnerability has been rectified.

For defense contractors, maintaining API security is crucial due to federal regulations such as DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC). These regulations mandate cybersecurity measures and breach reporting for contractors handling Controlled Unclassified Information (CUI).

Given the severity of the breach, stakeholders in the defense sector are advised to review access logs, determine the duration of exposure, and ensure that affected individuals are informed.

Stay updated on cybersecurity developments by following us on Google News, LinkedIn, and X. Contact us to share your stories.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

Critical OpenSSH GSSAPI Flaw Threatens Linux Servers Critical OpenSSH GSSAPI Flaw Threatens Linux Servers Cyber Security News
Speagle Malware Exploits Cobra DocGuard for Data Theft Speagle Malware Exploits Cobra DocGuard for Data Theft Cyber Security News
Hackers Use ClickFix Technique to Deploy NetSupport RAT via Compromised WordPress Sites Hackers Use ClickFix Technique to Deploy NetSupport RAT via Compromised WordPress Sites Cyber Security News
Seraphic Becomes the First and Only Secure Enterprise Browser Solution to Protect Electron-Based Applications Seraphic Becomes the First and Only Secure Enterprise Browser Solution to Protect Electron-Based Applications Cyber Security News
CISA Alerts on Active Exploitation of Google Chromium Vulnerability CISA Alerts on Active Exploitation of Google Chromium Vulnerability Cyber Security News
Critical WatchGuard Firebox Vulnerabilities Let Attackers Bypass Integrity Checks and Inject Malicious Codes Critical WatchGuard Firebox Vulnerabilities Let Attackers Bypass Integrity Checks and Inject Malicious Codes Cyber Security News