Zero-Auth Flaw Exposes DoD Contractor Cross- Cross-Tenant Data

A severe zero-authorization vulnerability in Schemata’s API, an AI-powered virtual training platform with active Department of Defense (DoD) contracts, recently exposed highly sensitive military training materials and U.S. service member records.

Discovered by the open-source AI hacking agent Strix, the flaw allowed ordinary, low-privileged accounts to access cross-tenant data across the entire platform.

The vulnerability stemmed from a complete lack of authorization boundaries and tenant isolation on the application’s API.

When Strix established a low-privilege baseline and mapped reachable API surfaces, it successfully replayed high-value collection endpoints using a standard session.

The API failed to enforce organizational scoping or permission checks. Instead of returning data restricted to the test account, the system globally returned data across the entire platform.

Furthermore, the absence of authorization checks on write-enabled routes meant a malicious actor could have potentially modified or deleted training courses entirely.

Zero-Auth Flaw Exposes DoD Contractor

The scope of the exposed data represented a massive operational security risk.

Through a user-listing endpoint, the unprivileged test account accessed the entire user base, revealing names, email addresses, enrollment data, and the specific military bases where U.S. service members were stationed.

This level of exposure leaves personnel highly vulnerable to targeted phishing and doxing attacks.

Beyond personal records, course and organization endpoints leaked metadata and direct AWS S3 links to hundreds of confidential training manuals.

This included a 3D virtual training course for naval maintenance personnel marked as proprietary, as well as Army field manuals detailing the safe handling, arming sequences, and tactical deployment of explosive ordnance.

Strix first reported the vulnerability privately to Schemata on December 2, 2025, highlighting challenges in responsible disclosure.

Despite multiple follow-up attempts warning of the critical nature of the exploit, the vulnerability remained live for months.

It was not until May 1, 2026, 150 days after the initial disclosure and following a final notice of impending publication, that Schemata acknowledged the exposed endpoints and applied an immediate patch. The researchers have since verified the remediation.

For defense contractors, API security is a strict regulatory requirement under federal rules such as DFARS 252.204-7012.

The Cybersecurity Maturity Model Certification (CMMC) requires contractors handling Controlled Unclassified Information (CUI) to have mandatory cybersecurity and breach-reporting obligations.

A platform serving military training data with no API authorization layer represents a foundational security failure.

Customers and partners in the defense sector are strongly encouraged to inquire about access logs, the duration of the exposure, and whether affected users have been formally notified.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.