“I would love to hear what the vulnerability is, but I assume you want to get paid for it. Is that the play?” That was, according to Strix, the initial reply from Schemata’s CEO after the open-source security project first contacted the company about exposed data on Dec. 2, 2025. Strix went on to publish its findings 152 days after that initial outreach, saying it had verified remediation before going public.
Strix’s findings: a low-privilege account, broad access
Strix, an open-source autonomous security testing project, reported that Schemata, an AI-powered virtual training platform used in military and defense settings, exposed user records and training materials through API endpoints that lacked meaningful authorization checks. Using a normal, low-privilege account, Strix said researchers watched browser traffic to identify API endpoints and then requested high-value data using the same session. The requests returned records from outside the account’s own organization, which Strix said suggested the API was not properly enforcing tenant boundaries or user permissions.
Strix described the vulnerability as not requiring a complex exploit. The firm also reported that some API routes appeared “write-enabled,” meaning a malicious actor could potentially modify or delete courses through update or delete requests, though Strix said it did not perform destructive testing.
Data and courses that were exposed
According to Strix, the exposed information included user listings, organization records, course information, training metadata and direct links to documents hosted on Schemata’s Amazon Web Services instances. The disclosed materials, Strix said, comprised sensitive training content: a 3D virtual training course for naval maintenance personnel with documentation marked confidential and proprietary, a course containing Army field manuals on explosive ordnance handling and tactical deployment, and hundreds of user records linked to bases and training enrollments.
Strix also reported that exposed user records contained names, email addresses, enrollment details and the military bases where U.S. service members were stationed. The company said that, even when information is not classified, records of where service members are based, what training they are enrolled in and which materials they can access can create risks if exposed outside intended channels.
Schemata’s response, remediation, and public statements
Schemata acknowledged the affected endpoints were exposed on May 1, after what Strix described as a roughly 150-day disclosure process. In a statement posted on its website, Schemata said it did not have “evidence that any third party exploited the vulnerability to access customer data.” The company also said it remediated the vulnerability the same day it received actionable details and that the researcher independently verified the fix before publishing their findings.
Schemata added it is working with cybersecurity consultants to assist with its response and improve its security posture, and that it is in contact with government authorities about the vulnerability.
Disclosure timeline and communications
Strix said it first contacted Schemata on Dec. 2, 2025, and clarified the same day that compensation was not required and that its priority was user safety. Strix reported sending multiple follow-ups from Dec. 8–29 warning the vulnerability was critical and asking where to send details. Five months later, after telling Schemata that researchers were preparing to publish the information publicly, Schemata responded, acknowledged the exposed endpoints and said it would patch the issue immediately. Strix said it verified remediation before publication.
CyberScoop reached out to Strix for comment; Strix did not respond. The Department of Defense Cyber Crime Center (DC3), which contractors handling Controlled Unclassified Information (CUI) must notify of cyber incidents, did not respond to CyberScoop’s request for comment.
What this means for DoD contractors, Schemata customers, and cybersecurity teams
- DoD contractors: The report underscores that companies holding CUI face mandatory reporting obligations — contractors that handle such data must report cyber incidents to the Department of Defense Cyber Crime Center, a requirement referenced in the published account.
- Schemata customers (military and training units): Units using the platform received exposure of course materials and enrollment data that could reveal operational context, including bases and training enrollments; Schemata says it has no evidence of third-party exploitation.
- Cybersecurity teams and incident responders: The described attack vector — observing normal browser traffic, identifying API endpoints, and reusing the session to request broader data — highlights a failure of tenant and permission enforcement in multi-tenant systems and points to the need to validate authorization on server-side APIs.
The published account leaves a clear ledger: a basic authorization failure allowed cross-tenant data access on a platform used in defense settings, the company says it fixed the issue the same day it received actionable details, and an open-source researcher verified the remediation before publication. The episode also raises a practical question embedded in the record: how quickly and effectively companies that host government-related training data receive reports from researchers and move from acknowledgement to patching — and how those timelines are recorded and reported when sensitive, non-classified operational information is involved.
https://cyberscoop.com/schemata-dod-contractor-api-flaw-military-data-exposure/
