ServiceNow Security Incident Exposes Customer Data and Unauthorized Access
- Jun 10
- 3 min read
Key Findings
ServiceNow applied a security update on June 5, 2026 to address an unauthenticated access vulnerability affecting hosted customer instances
The flaw allowed unauthorized users to gain elevated access to ServiceNow instances and query customer data
Evidence shows successful data access occurred for a subset of customers between June 2-4, 2026
The vulnerability stems from an API endpoint configuration that did not require authentication
Community reports allege ServiceNow was aware of the issue since April 7, 2026 but initially treated it as non-urgent
No CVE identifier has been assigned as of latest reporting
Background
ServiceNow discovered anomalous activity linked to an unauthenticated access vulnerability in some hosted customer instances. The company disclosed the issue through support bulletin KB3067321, accessible only to customers via ServiceNow's support portal. While ServiceNow has not publicly confirmed the extent of data accessed, the company opened support cases directly with affected organizations and stated it observed evidence of successful database queries.
Technical Details of the Vulnerability
The security flaw involves an API endpoint configuration that failed to enforce authentication requirements. Third-party analysis and administrator reports suggest the affected Scripted REST resource at endpoint /api/now/related_list_edit/create had its requires_authentication setting set to false. This allowed requests to bypass normal session, token, and credential checks. The June 5 update modified the endpoint configuration to restrict access to authenticated users only.
Community posts indicate that suspicious requests may appear in logs as activity from the Guest user, since the requests originated without valid credentials. However, ServiceNow has not independently confirmed this detail in public statements.
Timeline and Disclosure Issues
Community reporting on Reddit and X raises questions about how ServiceNow handled the vulnerability before patching. According to these accounts, a customer security team reported the issue before the fix was applied, but ServiceNow support initially classified it as non-urgent. Some posts allege that internal ServiceNow records show the vulnerability was tracked since April 7, 2026, with remediation planned for a later platform release rather than an emergency update.
ServiceNow has not publicly confirmed these timeline claims. A ServiceNow spokesperson stated the company prioritized reaching out directly to affected customers rather than making broad public announcements initially. The company did acknowledge in its advisory that similar submissions were made to its bug bounty program on April 22, 2026 and again on June 3-4, 2026.
Affected Systems and Data Exposure
The vulnerability affects customers on ServiceNow's Australia platform release, as well as customers on earlier releases who made certain configuration changes to their instances. ServiceNow has not publicly specified which data fields or records were accessed during the incident.
ServiceNow instances typically contain sensitive business information including IT support tickets, employee records, internal documentation, asset inventories, workflow data, security incident reports, and system configuration details. The malicious activity occurred between June 2-4, 2026, with community analysis suggesting a particular focus around IP address 51.159.98.241.
Recommended Actions for Customers
Affected customers are being notified directly through ServiceNow support cases. Organizations that did not receive a case are believed to be unaffected, though administrators may want to review logs as a precaution. Security teams should examine ServiceNow transaction and node logs for requests to the /api/now/related_list_edit endpoint, particularly around June 2-3, 2026.
Impacted organizations should inventory exposed tickets, records, and attachments to identify sensitive information. Any passwords, API tokens, credentials, or secrets found in affected records must be rotated immediately. Administrators should also audit all Scripted REST API resources to ensure authentication and access controls are properly configured across their instances.
Sources
https://hackread.com/servicenow-security-incident-exposing-customer-data/
https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data
https://app.daily.dev/posts/servicenow-discloses-security-incident-exposing-customer-data-uu7it8cfu
https://x.com/BleepinComputer/status/2064461133218517292

Comments