ServiceNow Warns of Exploited API Flaw Leading to Unauthorized Data Access
ServiceNow has disclosed a security incident involving the exploitation of an unauthenticated access flaw in a vulnerable API endpoint, allowing attackers to query data from customer instances. The company detected "anomalous activity" related to the issue and issued a security update on June 5, 2026, to hosted customer instances, restricting API access to authenticated users only.
The flaw, which could permit unauthorized access under certain conditions, was addressed by modifying the API endpoint configuration. While ServiceNow has not specified the exact data accessed, affected instances may store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, and security incident reports. Support tickets, in particular, are a prime target for threat actors, as they often contain credentials, API tokens, and authentication secrets.
ServiceNow has opened support cases with impacted customers, confirming that those without notifications are not believed to be affected. The issue primarily impacts customers on the Australia platform release or those running older releases with specific configuration changes.
Security researchers and administrators on Reddit identified the vulnerable endpoint as /api/now/related_list_edit/create, which was reportedly configured with requires_authentication=false. The update enforced authentication requirements. Indicators of compromise include API requests from the IP address 51.159.98.241, and administrators are advised to review logs for suspicious activity.
ServiceNow has not yet disclosed whether a CVE will be assigned or provided further details on the duration of the exploitation. The company is still evaluating the incident’s scope and impact.
ServiceNow cybersecurity rating report: https://www.rankiteo.com/company/servicenow
"id": "SER1781072827",
"linkid": "servicenow",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology, Enterprise IT',
'location': 'Global (primarily Australia platform '
'release or older releases)',
'name': 'ServiceNow Customers',
'type': 'Organization'}],
'attack_vector': 'Exploitation of unauthenticated API endpoint',
'customer_advisories': 'Impacted customers notified via support cases; '
'unaffected customers not notified',
'data_breach': {'personally_identifiable_information': 'Potential '
'(credentials, API '
'tokens, '
'authentication '
'secrets)',
'sensitivity_of_data': 'High (credentials, API tokens, '
'authentication secrets)',
'type_of_data_compromised': ['IT support tickets',
'Employee records',
'Internal documentation',
'Asset inventories',
'Security incident reports']},
'date_detected': '2026-06-05',
'date_publicly_disclosed': '2026-06-05',
'date_resolved': '2026-06-05',
'description': 'ServiceNow has disclosed a security incident involving the '
'exploitation of an unauthenticated access flaw in a '
'vulnerable API endpoint, allowing attackers to query data '
'from customer instances. The flaw was addressed by modifying '
'the API endpoint configuration to restrict access to '
'authenticated users only.',
'impact': {'data_compromised': 'Sensitive enterprise information, including '
'IT support tickets, employee records, '
'internal documentation, asset inventories, '
'and security incident reports',
'identity_theft_risk': 'Potential risk due to exposure of '
'credentials, API tokens, and '
'authentication secrets',
'systems_affected': 'Customer instances on the Australia platform '
'release or older releases with specific '
'configuration changes'},
'initial_access_broker': {'entry_point': 'Unauthenticated API endpoint '
'`/api/now/related_list_edit/create`',
'high_value_targets': 'Support tickets containing '
'credentials, API tokens, and '
'authentication secrets'},
'investigation_status': 'Ongoing (evaluating scope and impact)',
'post_incident_analysis': {'corrective_actions': 'Enforced authentication '
'requirements for the '
'vulnerable API endpoint',
'root_causes': 'Misconfigured API endpoint with '
'`requires_authentication=false`'},
'recommendations': 'Review logs for suspicious API requests, particularly '
'from IP address `51.159.98.241`; ensure API endpoints are '
'configured with authentication requirements',
'references': [{'source': 'ServiceNow Security Update'},
{'source': 'Reddit (Security Researchers and Administrators)'}],
'response': {'communication_strategy': 'Opened support cases with impacted '
'customers; confirmed unaffected '
'customers were not notified',
'containment_measures': 'Modified API endpoint configuration to '
'enforce authentication requirements',
'enhanced_monitoring': 'Review logs for suspicious activity, '
'particularly from IP address '
'`51.159.98.241`',
'remediation_measures': 'Security update issued to hosted '
'customer instances, restricting API '
'access to authenticated users only'},
'title': 'ServiceNow Warns of Exploited API Flaw Leading to Unauthorized Data '
'Access',
'type': 'Unauthorized Data Access',
'vulnerability_exploited': 'Unauthenticated access flaw in API endpoint '
'`/api/now/related_list_edit/create` with '
'`requires_authentication=false`'}