Defense Contractor API Flaw Exposed Military Training Data and Service Member Records

A defense technology company contracted by the U.S. Department of Defense exposed sensitive military training materials and service member records through inadequately secured API endpoints, according to an independent security research project. The vulnerability impacted Schemata, an AI-powered virtual training platform used in military and defense environments.

The issue was identified by Strix, an open-source autonomous security testing project, which found that a low-privilege account could access data across multiple tenants. This included user listings, organization records, course information, training metadata, and direct links to documents stored on Schemata’s Amazon Web Services instances.

Among the exposed materials were:

• A 3D virtual training course for naval maintenance personnel, marked as confidential and proprietary.
• A course containing Army field manuals on explosive ordnance handling and tactical deployment.
• Hundreds of user records linked to military bases and training enrollments, including names, email addresses, and enrollment details.

Schemata confirmed the affected endpoints were exposed on May 1, 2025, following what Strix described as a 150-day disclosure process. Strix verified remediation before publishing its findings this week, 152 days after its initial disclosure attempt.

The vulnerability did not require a complex exploit. Strix reported that it used a low-privilege account to monitor normal browser traffic, identify exposed API endpoints, and request high-value data within the same session. These requests returned records from outside the account’s organization, indicating a failure in tenant boundary enforcement or user permissions.

In multi-tenant software, authorization controls are designed to restrict users to data and functions assigned to their account. Strix’s findings suggest a basic breakdown in this model. The firm also noted that some API routes appeared "write-enabled," potentially allowing malicious actors to modify or delete courses via update or delete requests, though Strix did not perform destructive testing.

Schemata’s platform serves military and defense training environments, where user identities, assignments, and course enrollments can reveal sensitive operational context. Even unclassified information—such as service member locations, training enrollments, and accessible materials—may pose risks if exposed outside intended channels.

In a statement on its website, Schemata stated it had "no evidence that any third party exploited the vulnerability to access customer data."

The disclosure timeline also highlights concerns about how companies handling sensitive government-related data respond to vulnerability reports. Strix said it first contacted Schemata on December 2, 2025. According to Strix, Schemata’s CEO initially responded, "I would love to hear what the vulnerability is, but I assume you want to get paid for it. Is that the play?"

Strix clarified the same day that compensation was not required and emphasized its focus on user safety. It sent multiple follow-ups from December 8–29, 2025, warning of the risks before publishing its findings.