ServiceNow patched an unauthenticated API vulnerability on June 5, 2026 that allowed unauthorized access to customer instances under certain configurations. The vulnerability, first reported in April, permitted unauthenticated users to gain elevated access to susceptible instances. ServiceNow's investigation identified activity beginning June 2 on a subset of customer instances, later attributed to security researchers conducting bug bounty submissions rather than malicious actors. No data exfiltration was confirmed.
// Service
School Pathways
Student Information System
// Alerts
Recent threats
// School PathwaysMEDIUM
// School PathwaysCRITICAL
A researcher compromised the CBSE OnMark (School Pathways) online marking portal, gaining full server and super admin access after officials initially denied security vulnerabilities. The breach was demonstrated twice, prompting CBSE to acknowledge security gaps and deploy IIT and government cybersecurity experts to contain the incident and identify remaining exploitable weaknesses.