ServiceNow patches unauthenticated access flaw after data queried from customer instances

ServiceNow has notified customers of a security incident in which a flaw in a vulnerable API endpoint allowed unauthenticated access to data inside hosted customer instances. The company says it pushed a fix to its hosted instances on June 5, 2026, after spotting anomalous activity, and confirmed that the weakness was used to query customer instance tables. In a follow-up advisory on June 10, ServiceNow said it now believes the activity was most likely tied to security researchers or customer-led bug bounty testing rather than malicious actors. No CVE has been assigned yet, and the company says it is still weighing whether to publish one.

ServiceNow disclosed the issue quietly, through a support bulletin locked behind its customer login portal and through direct support cases opened with affected organizations. According to the bulletin, the flaw could, under certain conditions, let an unauthenticated user gain more access to an instance than intended. The applied update reconfigures the affected API endpoint so that only authenticated users can reach it. ServiceNow indicated the problem mainly affects customers on its Australia platform release, as well as those on earlier releases who had made specific configuration changes. The company says it has contacted every impacted customer, so organizations that have not received a support case are not thought to be affected.

The vendor has not released technical specifics, but administrators discussing the incident on Reddit have pointed — without official confirmation — to a REST endpoint at /api/now/related_list_edit/create. One commenter said the endpoint was set with requires_authentication=false, which could have permitted unauthenticated requests to reach instance data, and claimed the June 5 update flipped that setting to true. Several admins also circulated indicators of compromise, including requests originating from the IP address 51.159.98.241, and urged peers to comb their logs for traffic to the endpoint.

The exposure matters because ServiceNow instances typically hold a wide range of sensitive enterprise data, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and system configuration details. Support tickets are a particularly attractive target, since they often contain credentials, API tokens, and authentication secrets exchanged while troubleshooting. ServiceNow has not said what data, if any, was accessed.

What administrators should do

ServiceNow advises reviewing logs for requests to /api/now/related_list_edit, especially any coming from 51.159.98.241. Affected organizations should also examine exposed tickets and records for sensitive content, rotate any credentials or tokens that were shared through support workflows, and confirm that API logging is turned on. One unresolved question is timing: ServiceNow says it received a confidential bug bounty report describing a similar issue on April 22, 2026, but did not deploy the security update until June 5 — days after activity against customer instances reportedly began. The company had not explained the delay or responded to questions about the incident by the time of publication.