A DoD Contractor Just Patched a 150-Day-Old Bug That Exposed Where Military Personnel Are Stationed

The vulnerability wasn't complex. Strix's report says it was no authorization at all. Schemata's CEO assumed the disclosure was a paid bug bounty solicitation. The patch landed 150 days later.

WASHINGTON, D.C. — Schemata, a Department of Defense contractor providing AI-powered virtual training platforms to US military and defense customers, exposed names, email addresses, base assignments, course materials, and confidential military training documents through API endpoints that lacked any authorization checks. The flaw was patched on May 1, 2026 — 150 days after the open-source security testing project Strix first disclosed it on December 2, 2025.

For defense contractors and any organization handling Controlled Unclassified Information under DFARS 252.204-7012 and CMMC, this is a foundational compliance failure. An ordinary low-privilege account could query the entire platform's user database, including specific US military bases where service members were stationed, by replaying API endpoints from a browser session. There were no tenant isolation boundaries, no organizational scoping, no permission checks. Schemata holds $3.4 million in DoD contracts and raised $5 million in May 2025 from venture funders including Andreessen Horowitz — context that makes the disclosure pattern alongside CISA's CI Fortify push a notable signal about the current state of federal contractor security expectations.

What was exposed and how

According to Strix's public account, the researcher established a low-privilege baseline account on Schemata's platform, observed normal browser traffic, identified the API endpoints exposed through the application, and replayed those same requests to fetch high-value data. CyberScoop's reporting describes it plainly: the exploit did not require complex tradecraft. It required noticing that the API didn't check whether the requesting user was authorized to receive what it was returning.

The exposed data, per CyberScoop and Cybersecurity News, included user listings across multiple tenants — names, email addresses, enrollment data, and military base assignments. It also included course information and training metadata, direct AWS S3 bucket links for hundreds of confidential training modules, a 3D virtual training course for naval maintenance personnel marked "confidential and proprietary," and US Army field manuals on explosive ordnance handling, arming sequences, and tactical deployment. Schemata told CyberScoop it has no evidence that any third party exploited the vulnerability to access customer data — a defensive framing that is common but legally insufficient under DFARS 252.204-7012's reporting requirements, which turn on whether exploitation could have occurred, not whether it was observed.

The disclosure timeline

Strix first reported the vulnerability privately to Schemata on December 2, 2025. Per Strix's account published by CyberScoop, the initial response from Schemata's CEO assumed the disclosure was a paid bug bounty solicitation rather than a coordinated security report. Strix sent multiple follow-up warnings over the subsequent months. The vulnerability remained live until May 1, 2026 — patched only after Strix's final notice that publication was imminent. The total window from initial disclosure to patch was approximately 150 days.

Schemata told CyberScoop it is working with cybersecurity consultants to assist response and improve its security posture, and is in contact with government authorities. Defense contractors handling Controlled Unclassified Information are required to report cyber incidents to the Department of Defense Cyber Crime Center. DC3 did not respond to CyberScoop's request for comment.

Why the bug class matters more than the bug

The Schemata exposure maps directly to two items on the OWASP API Security Top 10: Broken Object Level Authorization (does the user have permission to access this specific object, not just any object of this type?) and Broken Function Level Authorization (does a low-privilege user have access to functions intended for administrators or other tenants?). Schemata's platform implemented neither check. For an organization handling military training data, that is not a sophisticated zero-day. It is a baseline missing.

The wider signal for federal contracting is that API security is now a CMMC and DFARS audit surface in practice, not just on paper. Contractors should expect the next round of DoD security expectations to require independent API testing, and the Schemata case to be cited in audit findings as the failure pattern auditors are looking for. The Akhter brothers Opexus case demonstrated how insider access at federal contractors translates into criminal exposure; the Schemata case shows the same dynamic from the opposite direction — external API access without authorization checks producing equivalent data exposure.

The CyberSignal Analysis

Signal 01 — VDP maturity is the leading indicator

The most operationally telling fact in the Schemata case is not the bug. It is the CEO's initial response to a coordinated disclosure — assuming a bounty solicitation rather than engaging in good faith. Defense contractors and dual-use technology companies should establish a formal vulnerability disclosure program with published SLAs: 24-hour initial response, 5-day triage, 30-day remediation for critical and 90-day for high. Then train executives on what coordinated disclosure looks like, because the first email is going to land in their inbox before security's.

Signal 02 — Tenant isolation is no longer optional for govtech

An AI-powered training platform that serves multiple federal customers with no tenant isolation boundary at the API layer is not a defensible architecture for CUI handling. The right test is to take a low-privilege account in tenant A, replay API requests against tenant B's data IDs, and confirm the response is denied at the API tier — not just hidden in the UI. Every govtech CISO should have run this test in the last 12 months. If the answer is no, schedule it this week.

Signal 03 — "No evidence of exploitation" isn't a finding

Schemata's statement that it has no evidence of third-party exploitation is the standard defensive posture and is also legally insufficient under DFARS 252.204-7012, which obligates contractors to report incidents based on whether exploitation could have occurred. Pre-script your IR playbook to clarify this distinction for executives. The reporting trigger is exposure, not confirmed access. Treat it as such, and document the distinction in your IR runbook before you need it.

What to do this week

1. If your organization uses any AI-powered training, simulation, or workforce-development platform in a military, defense, or government context, request access logs covering the December 2, 2025 through May 1, 2026 window and ask for written confirmation of whether unauthorized cross-tenant queries occurred during that period.
2. Audit your own APIs against OWASP API Security Top 10 #1 and #5. The specific test: does a low-privilege user replaying high-privilege API endpoints get the data? Run the test on a baseline account, not a privileged one. If the answer is yes, you have the same class of bug.
3. Confirm your vulnerability disclosure program has documented SLAs and that your CEO and senior executives have been briefed on what coordinated disclosure looks like, including how not to assume the first email is a bounty solicitation.

Sources