// Alert

School Pathways threat report

ServiceNow patched an unauthenticated API vulnerability on June 5, 2026 that allowed unauthorized access to customer instances under certain configurations. The vulnerability, first reported in April, permitted unauthenticated users to gain elevated access to susceptible instances. ServiceNow's investigation identified activity beginning June 2 on a subset of customer instances, later attributed to security researchers conducting bug bounty submissions rather than malicious actors. No data exfiltration was confirmed.

// Get alerts for School Pathways