For nearly five months, a critical security gap in a Pentagon-backed AI training platform left sensitive U.S. military personnel records and restricted training materials wide open to anyone with a low-privilege account. The vulnerability, discovered in Schemata, an immersive 3D simulation system used by multiple branches of the armed forces, could have allowed attackers to pivot across organizations without needing any real credentials. And the worst part? It took the company nearly 150 days to fix it.

Schemata, a startup funded by Andreessen Horowitz, holds active contracts with the U.S. Department of Defense to deliver virtual training environments for everything from naval maintenance to explosive ordnance handling. But in late 2025, security researcher Alex Schapiro, using the open-source AI hacking agent Strix, uncovered something deeply unsettling: the platform’s API had no authorization controls whatsoever. None. Zero. That meant a low-privilege user could simply replay API endpoints meant for high-value data and get back information belonging to other tenants, including rival military units or different organizations entirely.

The Strix Approach: Mapping the API Without Privilege

Strix began by creating a baseline, unprivileged account. Then it systematically mapped Schemata’s full API surface by observing normal application behavior and client-side route references. It replayed data collection endpoints using only that regular session. No elevation. No brute force. Just a simple replay. The results were alarming: the API returned platform-wide data instead of scoping responses to the authenticated user’s organization. There were no permission checks, no organizational filters, nothing.

Even write-enabled routes were unprotected. An attacker could have manipulated or permanently deleted core training infrastructure, like 3D maintenance assets or field manuals, without any authentication barrier. Imagine a scenario where a malicious actor deletes a critical training module just before a deployment briefing. That’s the kind of operational risk this flaw created.

What Data Was Exposed? More Than Just Names and Emails

The exposed data wasn’t just your run-of-the-mill directory. A low-privilege account could pull a complete platform-wide user directory, including full names, email addresses, and course enrollment data. More worryingly, it included the specific military base assignments of active U.S. service members. That’s information that could directly enable targeted phishing, social engineering, or doxing campaigns against military personnel. Think about it: a bad actor could craft a spear-phishing email that looks like it’s from a base commander, using the victim’s real duty station and training progress. Chilling.

The vulnerability also surfaced metadata and direct AWS S3 bucket links for hundreds of confidential training modules. Among them were proprietary 3D naval maintenance training assets and restricted U.S. Army field manuals covering tactical deployment of explosive ordnance. If accessed by unauthorized parties, that content carries obvious national security implications, ranging from espionage to enabling adversaries to replicate U.S. tactics.

A Timeline That Raises Eyebrows

The disclosure timeline reveals why reporting flaws to organizations handling government data can be a headache. Strix researchers first contacted Schemata on December 2, 2025. The company’s initial response? They mischaracterized the disclosure as a bug bounty solicitation, rather than a good-faith security alert. That created unnecessary friction and delay. Despite researchers clarifying their intent and sending multiple follow-up warnings, the vulnerability remained live for nearly 150 days.

Schemata ultimately acknowledged the issue and deployed a patch on May 1, 2026, just ahead of the scheduled public disclosure. That’s almost five months after the initial report. For a DoD contractor, this timeline is particularly concerning. Organizations with active Defense Department contracts operate under strict federal compliance frameworks, including DFARS 252.204-7012 and Cybersecurity Maturity Model Certification (CMMC) requirements, specifically designed to protect Controlled Unclassified Information (CUI). A production platform serving active military data with no functional API authorization layer represents a foundational failure under these standards.

What Government Partners Should Do Now

Government partners and military branches that used Schemata during that vulnerability window should immediately request access logs to assess whether unauthorized cross-tenant queries occurred. They need to evaluate the extent of any potential data exposure, especially regarding service member assignments and training module links. It’s not just about patching; it’s about understanding what might have been taken.

This incident underscores the operational security risks that arise when immersive training platforms handling classified or sensitive military content are deployed without rigorous access control validation. As the Pentagon pushes for more AI-driven training tools, the question becomes: how many other startups are rushing to market without the same level of scrutiny? The answer matters, because in this case, the cost of a missed authorization check could have been measured in compromised operations and endangered lives.