Security researchers at Strix disclosed a flaw in a Department of Defense‑backed startup’s SaaS platform that allowed any tenant to access other customers’ data without authentication. The issue, dubbed a zero‑auth vulnerability, emerged during a routine penetration test of the multi‑tenant environment. Strix’s report triggered an immediate investigation for security and compliance by the vendor and its federal client today.

Multi‑tenant SaaS applications rely on strict isolation to prevent data leakage between customers. In this case, the authorization layer failed to verify tenant identifiers, effectively treating every request as belonging to the first logged‑in user. Such a bypass can expose confidential project files, source code, or classified documents, raising red flags for any organization handling sensitive government contracts today now.

The vendor patched the flaw within 48 hours, deploying token‑based tenant checks and rolling out mandatory updates to all customers. Strix recommends that DoD contractor audit third‑party SaaS services for similar authorization gaps before granting access to mission‑critical workloads. This incident underscores the importance of rigorous security testing in supply‑chain software used by federal agencies throughout the enterprise environment today.