What happened
ServiceNow disclosed a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.
The company detected anomalous activity related to the issue and quietly warned impacted customers through a support bulletin and direct support cases. ServiceNow applied a security update to hosted customer instances on June 5, 2026.
The security issue could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended. The update changed the API endpoint configuration to limit access to authenticated users only.
ServiceNow confirmed that attackers exploited the flaw to successfully query customer instance tables. The company did not disclose which data was accessed during the attacks. ServiceNow instances commonly store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.
The issue primarily affects customers running the Australia platform release or customers on older releases who made certain configuration changes. ServiceNow has opened support cases with affected customers. Customers who have not received a support case are not believed to be affected by the incident.
Administrators discussing the incident said the issue appears to be tied to a REST endpoint at /api/now/related_list_edit/create. One commenter claimed the endpoint was configured with requires_authentication=false, potentially allowing unauthenticated requests to access instance data. Administrators also shared indicators of compromise, including API requests from the IP address 51.159.98.241.
ServiceNow is still evaluating whether it will publish a CVE for the issue.
Who is affected
Affected ServiceNow customers are those running the Australia platform release or customers on older releases who made certain configuration changes.
Impacted organizations may have had customer instance tables queried by attackers. The exposed data could vary by customer instance, but ServiceNow environments often contain enterprise data such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.
Customers who received a support case from ServiceNow are considered affected. Customers who did not receive one are not believed to be affected by the incident.
Why CISOs should care
This incident highlights the risk of unauthenticated API access to enterprise workflow platforms. ServiceNow instances often hold sensitive operational data that can reveal how an organization manages IT, security, assets, employees, and internal processes. Even when the incident does not involve ransomware or destructive activity, unauthorized queries against instance tables can expose high-value internal information.
The incident also shows why customer support and workflow records need stronger scrutiny. Support tickets and related records can contain credentials, API tokens, internal documentation, authentication secrets, and troubleshooting details. If attackers can query that data, they may gain information that supports follow-on attacks.
For CISOs, the platform release and configuration angle is important. The issue primarily affects customers on the Australia platform release or customers on older releases with certain configuration changes, which makes release posture, configuration review, and API logging central to exposure management.
3 practical actions
- Review ServiceNow logs for suspicious API requests: Administrators are advised to review logs for requests to
/api/now/related_list_edit, particularly from the IP address51.159.98.241. Security teams should search for activity tied to the vulnerable endpoint and preserve relevant logs for investigation. - Inspect exposed tickets and records for sensitive information: Attackers successfully queried customer instance tables, and ServiceNow environments can contain support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details. CISOs should identify what data may have been accessible and prioritize records containing credentials, tokens, or internal security details.
- Rotate credentials and tokens shared through support workflows: Support case information can contain authentication secrets, API tokens, credentials, and troubleshooting data. Organizations should rotate any secrets that may have been stored in exposed tickets or records and reinforce rules against placing credentials in support workflows.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.