Critical Zero-Auth Vulnerability in DoD-Linked AI Training Platform Exposed Sensitive Military Data
A severe authorization flaw in Schemata, an AI-powered virtual training platform under contract with the U.S. Department of Defense (DoD), was discovered by security researcher Alex Schapiro using the open-source AI hacking tool Strix. The vulnerability, classified as a zero-authentication (zero-auth) issue, allowed unprivileged users to access and potentially manipulate highly sensitive military training materials and personnel records across tenant boundaries.
Key Details of the Vulnerability
- Discovery & Exploitation: Strix mapped Schemata’s API surface by replaying high-value endpoints with a low-privilege account, revealing that the system failed to enforce tenant isolation or permission checks. This enabled unauthorized access to data across all organizations using the platform.
- Exposed Data: The flaw granted access to:
- Full user directories, including names, email addresses, and military base deployments of active-duty personnel posing risks of targeted phishing and doxing.
- Confidential training modules, such as 3D naval maintenance simulations and Army field manuals on explosive ordnance deployment, along with direct AWS S3 links to these assets.
- Write-enabled routes, allowing potential data manipulation or deletion of critical training infrastructure.
- Regulatory Implications: Schemata’s failure to implement basic API authorization violated DoD cybersecurity mandates, including DFARS 252.204-7012 and CMMC requirements for handling Controlled Unclassified Information (CUI).
Delayed Response & Patch Timeline
- December 2, 2025: Researchers first disclosed the vulnerability to Schemata, but the company initially dismissed the report as a bug bounty solicitation.
- Nearly 150-Day Exposure: Despite repeated warnings, the flaw remained unpatched until May 1, 2026, when Schemata finally acknowledged and fixed the issue just before public disclosure.
- Post-Patch Actions: DoD partners were advised to review access logs to assess potential data exposure during the vulnerability window.
The incident underscores systemic risks in military-linked software supply chains, where inadequate authorization controls can lead to large-scale data breaches with national security implications.
Source: https://gbhackers.com/zero-auth-vulnerability-dod-contractor/
Schemata, Inc. cybersecurity rating report: https://www.rankiteo.com/company/schemataai
"id": "SCH1778056065",
"linkid": "schemataai",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'U.S. Department of Defense '
'(DoD) and partner organizations',
'industry': 'Defense, Military Training',
'location': 'United States',
'name': 'Schemata',
'type': 'AI-Powered Virtual Training Platform'}],
'attack_vector': 'API Exploitation',
'data_breach': {'file_types_exposed': ['3D simulations',
'Field manuals',
'User directories'],
'personally_identifiable_information': ['Names',
'Email addresses',
'Military base '
'deployments'],
'sensitivity_of_data': 'High (Controlled Unclassified '
'Information - CUI)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Military Training Materials',
'AWS S3 Links']},
'date_detected': '2025-12-02',
'date_publicly_disclosed': '2026-05-01',
'date_resolved': '2026-05-01',
'description': 'A severe authorization flaw in Schemata, an AI-powered '
'virtual training platform under contract with the U.S. '
'Department of Defense (DoD), allowed unprivileged users to '
'access and potentially manipulate highly sensitive military '
'training materials and personnel records across tenant '
'boundaries. The vulnerability was classified as a '
'zero-authentication (zero-auth) issue, enabling unauthorized '
'access to data across all organizations using the platform.',
'impact': {'brand_reputation_impact': 'National security implications, '
'systemic risks in military-linked '
'software supply chains',
'data_compromised': 'Full user directories (names, email '
'addresses, military base deployments), '
'confidential training modules (3D naval '
'maintenance simulations, Army field manuals '
'on explosive ordnance deployment), AWS S3 '
'links to assets',
'identity_theft_risk': 'Targeted phishing and doxing risks for '
'active-duty personnel',
'legal_liabilities': 'Violation of DoD cybersecurity mandates '
'(DFARS 252.204-7012, CMMC requirements)',
'operational_impact': 'Potential data manipulation or deletion of '
'critical training infrastructure',
'systems_affected': 'Schemata AI-powered virtual training '
'platform'},
'investigation_status': 'Completed',
'lessons_learned': 'Systemic risks in military-linked software supply chains '
'due to inadequate authorization controls; importance of '
'timely vulnerability patching and enforcement of tenant '
'isolation in multi-tenant platforms.',
'post_incident_analysis': {'corrective_actions': 'Patch applied to enforce '
'authorization controls, '
'review of access logs for '
'exposure assessment',
'root_causes': 'Failure to enforce tenant '
'isolation and permission checks in '
'the API, delayed response to '
'vulnerability disclosure'},
'recommendations': 'Implement robust API authorization checks, enforce tenant '
'isolation, conduct regular security audits, and ensure '
'compliance with DoD cybersecurity mandates.',
'references': [{'source': 'Security Researcher Alex Schapiro'}],
'regulatory_compliance': {'regulations_violated': ['DFARS 252.204-7012',
'CMMC requirements']},
'response': {'communication_strategy': 'Advisories to DoD partners to review '
'access logs',
'containment_measures': 'Patch applied to enforce tenant '
'isolation and permission checks',
'remediation_measures': 'Fix for zero-auth vulnerability, review '
'of access logs for potential data '
'exposure'},
'stakeholder_advisories': 'DoD partners advised to review access logs for '
'potential data exposure during the vulnerability '
'window.',
'title': 'Critical Zero-Auth Vulnerability in DoD-Linked AI Training Platform '
'Exposed Sensitive Military Data',
'type': 'Data Breach',
'vulnerability_exploited': 'Zero-Authentication (Zero-Auth) Flaw'}