Securing a DoD Contractor: Finding a Multi-Tenant Authorization Vulnerability (www.strix.ai)

A significant security vulnerability was discovered in Schemata, an AI-powered military training platform under Department of Defense (DoD) contracts. Strix, an open-source autonomous AI hacking agent, identified that Schemata's API had no authorization checks, allowing unauthorized access to sensitive data, including U.S. service member records and confidential military training materials. Strix verified this lack of security by successfully using a low-privilege account to retrieve user data across the platform, highlighting a critical operational security risk. This incident underscores the importance of robust authorization mechanisms, particularly for platforms handling Controlled Unclassified Information (CUI) for the defense sector. With federal cybersecurity regulations mandating strict data protection protocols, Schemata's oversight poses a serious risk not only to individual privacy but also to national security. The exposure raises concerns about potential exploits by malicious actors, making it imperative for organizations in sensitive domains to prioritize open disclosure channels, thorough vulnerability testing, and timely incident response.