top of page

ServiceNow Security Incident Exposes Customer Data and Unauthorized Access

  • Jun 10
  • 3 min read

Key Findings


  • ServiceNow applied a security update on June 5, 2026 to address an unauthenticated access vulnerability affecting hosted customer instances

  • The flaw allowed unauthorized users to gain elevated access to ServiceNow instances and query customer data

  • Evidence shows successful data access occurred for a subset of customers between June 2-4, 2026

  • The vulnerability stems from an API endpoint configuration that did not require authentication

  • Community reports allege ServiceNow was aware of the issue since April 7, 2026 but initially treated it as non-urgent

  • No CVE identifier has been assigned as of latest reporting


Background


ServiceNow discovered anomalous activity linked to an unauthenticated access vulnerability in some hosted customer instances. The company disclosed the issue through support bulletin KB3067321, accessible only to customers via ServiceNow's support portal. While ServiceNow has not publicly confirmed the extent of data accessed, the company opened support cases directly with affected organizations and stated it observed evidence of successful database queries.


Technical Details of the Vulnerability


The security flaw involves an API endpoint configuration that failed to enforce authentication requirements. Third-party analysis and administrator reports suggest the affected Scripted REST resource at endpoint /api/now/related_list_edit/create had its requires_authentication setting set to false. This allowed requests to bypass normal session, token, and credential checks. The June 5 update modified the endpoint configuration to restrict access to authenticated users only.


Community posts indicate that suspicious requests may appear in logs as activity from the Guest user, since the requests originated without valid credentials. However, ServiceNow has not independently confirmed this detail in public statements.


Timeline and Disclosure Issues


Community reporting on Reddit and X raises questions about how ServiceNow handled the vulnerability before patching. According to these accounts, a customer security team reported the issue before the fix was applied, but ServiceNow support initially classified it as non-urgent. Some posts allege that internal ServiceNow records show the vulnerability was tracked since April 7, 2026, with remediation planned for a later platform release rather than an emergency update.


ServiceNow has not publicly confirmed these timeline claims. A ServiceNow spokesperson stated the company prioritized reaching out directly to affected customers rather than making broad public announcements initially. The company did acknowledge in its advisory that similar submissions were made to its bug bounty program on April 22, 2026 and again on June 3-4, 2026.


Affected Systems and Data Exposure


The vulnerability affects customers on ServiceNow's Australia platform release, as well as customers on earlier releases who made certain configuration changes to their instances. ServiceNow has not publicly specified which data fields or records were accessed during the incident.


ServiceNow instances typically contain sensitive business information including IT support tickets, employee records, internal documentation, asset inventories, workflow data, security incident reports, and system configuration details. The malicious activity occurred between June 2-4, 2026, with community analysis suggesting a particular focus around IP address 51.159.98.241.


Recommended Actions for Customers


Affected customers are being notified directly through ServiceNow support cases. Organizations that did not receive a case are believed to be unaffected, though administrators may want to review logs as a precaution. Security teams should examine ServiceNow transaction and node logs for requests to the /api/now/related_list_edit endpoint, particularly around June 2-3, 2026.


Impacted organizations should inventory exposed tickets, records, and attachments to identify sensitive information. Any passwords, API tokens, credentials, or secrets found in affected records must be rotated immediately. Administrators should also audit all Scripted REST API resources to ensure authentication and access controls are properly configured across their instances.


Sources


  • https://hackread.com/servicenow-security-incident-exposing-customer-data/

  • https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html

  • https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data

  • https://app.daily.dev/posts/servicenow-discloses-security-incident-exposing-customer-data-uu7it8cfu

  • https://x.com/BleepinComputer/status/2064461133218517292

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page