A DOD contractor’s API flaw exposed military course data and service member records

A security researcher (Strix) found that Schemata’s AI-powered virtual training platform exposed sensitive military training materials and hundreds of user records via API endpoints that lacked proper authorization, enabling a low-privilege account to access data across multiple tenants; Schemata acknowledged the issue, patched the endpoints after a prolonged disclosure process, and said there is no evidence of third-party exploitation.