Latest
AppSec

ServiceNow Patches Unauthenticated API Flaw That Exposed Customer Instance Data

ServiceNow Patches Unauthenticated API Flaw That Exposed Customer Instance Data
  • ServiceNow has issued warnings of a possible security incident because hackers have taken advantage of a lack of authentication needed to make calls to a vulnerable API endpoint to get data from their clients' environments (customer instances).
  • After identifying "anomalous activity" concerning the issue, ServiceNow provided a discreet warning to its affected client base using a Support Bulletin and/or directly via Support Cases.
  • The bulletin that describes the situation is located behind ServiceNow's customer support log-in page:
  • "On June 5, 2026, ServiceNow applied a security update to hosted customer instances."
  • "The update addressed a security issue that may enable an unauthorized user, under specific conditions, to obtain access to the customer's ServiceNow environment beyond the level of authorization intended."

As stated by ServiceNow, the security update changed the API endpoint configuration to prevent unauthorized access to the API endpoints.

ServiceNow has also acknowledged that hackers were able to use the vulnerability to successfully query customer instance tables.

Although ServiceNow didn't provide any information about what data was accessed by the hackers during these incidents, customer instances typically include sensitive enterprise information such as: all types of IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details of corporate systems and services.

Ticket information contained within a Support Case has become a common target for threat actors, as tickets often contain credentials, API tokens, internal documentation, and authentication secrets exchanged between users while troubleshooting.

In accordance with the advisory, ServiceNow has established Support Cases with affected customers. In addition, if you are a customer and do not believe you have received one, you are most likely not impacted.

Additionally, although ServiceNow has not officially publicized any technical details regarding the vulnerability, administrators participating in the discussion on Reddit suggest the issue may be linked to a REST endpoint at /api/now/related_list_edit/create.

One commenter stated he assumed the endpoint was configured with requires_authentication=false, potentially enabling unauthenticated requests to access instance data.

According to reports from multiple admins, the security update apparently included setting requires_authentication=true.

Admins additionally contributed indicators of compromise (IOCs), which included API requests from IP address 51.159.98.241, and suggested other administrators should review logs for requests to the vulnerable endpoint.

The bulletin indicates the issue primarily affects customers using the Australia platform release, or those running older releases who made certain configuration changes.

"The security issue affects customers who are on the Australia platform release or made certain configuration changes to their instances on releases prior to Australia," ServiceNow cautioned.

Unsurfaced.com contacted ServiceNow earlier today after one of our readers brought this incident to our attention, and asked how long the activity had been ongoing, what caused the issue, and whether any customer data was exposed. We did not receive a response prior to publication.

ServiceNow has announced it will continue evaluating whether it will publish a CVE for the issue.

Administrators are encouraged to review their ServiceNow logs for requests to /api/now/related_list_edit, especially from IP address 51.159.98.241.

Impacted organizations should also review all exposed tickets and records for sensitive information, rotate credentials or tokens shared through support workflows, and ensure API logging is enabled.

More in Application & Web Security

IBM Reports 44% Increase in App Vulnerabilities Due to Faster Cyber Attacks Driven by AI
AppSec

IBM Reports 44% Increase in App Vulnerabilities Due to Faster Cyber Attacks Driven by AI

Apr 24, 2026 3 min read
Cybersecurity Arena Hosts Bot Battles
AppSec

Cybersecurity Arena Hosts Bot Battles

Apr 7, 2026 2 min read
Notepad++ Creator Claims Update Mechanism is Now 'Effectively Unexploitable'
AppSec

Notepad++ Creator Claims Update Mechanism is Now 'Effectively Unexploitable'

Apr 5, 2026 4 min read
Infected npm Package Stealthily Installs OpenClaw on Developer Systems
AppSec

Infected npm Package Stealthily Installs OpenClaw on Developer Systems

Apr 4, 2026 4 min read