Critical ServiceNow Vulnerability Allows Remote Code Execution in AI Platform
ServiceNow has released security updates to address CVE-2026-6875, a critical sandbox escape vulnerability in its AI Platform that allows unauthenticated attackers to execute malicious code remotely.

ServiceNow has disclosed and fixed a critical security vulnerability in its AI Platform that could allow unauthenticated attackers to execute code within affected ServiceNow environments. The flaw, tracked as CVE-2026-6875, is described as a sandbox escape vulnerability and affects both hosted and self-hosted ServiceNow deployments.
ServiceNow stated that the vulnerability could allow an attacker to circumvent intended platform restrictions and execute code in certain circumstances. Because exploitation does not require authentication, the issue poses a significant risk to exposed ServiceNow instances that have not yet received the necessary security updates. Enterprises widely utilize ServiceNow for critical functions such as IT service management, workflow automation, customer operations, security operations, and internal business processes.
A successful remote code execution attack against such a platform could enable attackers to disrupt workflows, access sensitive data, modify records, or leverage the compromised environment as a launchpad for further malicious activities. While ServiceNow has not released extensive technical details regarding the root cause of the vulnerability, the company published an advisory (KB3137947) on July 13, 2026, limiting specifics to allow customers time to patch before exploits become widely available.
ServiceNow has already deployed security updates to its hosted instances and made relevant updates available to self-hosted customers and partners. Organizations managing their own ServiceNow environments are urged to review their current family release and install the appropriate patch or upgrade to a fixed version promptly. The vulnerability is addressed in specific releases, including Brazil Early Access and General Availability, Australia Patch 2, Zurich Patch 7b or 9, and Yokohama Patch 12 Hot Fix 1b or 13.
While ServiceNow has indicated it is not currently aware of any active exploitation of CVE-2026-6875 in the wild, the public disclosure of a critical unauthenticated remote code execution flaw can quickly attract the attention of security researchers and malicious actors. Therefore, organizations should treat this issue with urgency, even in the absence of observed suspicious activity.
Administrators are advised to confirm their ServiceNow instance's hosting environment (hosted by ServiceNow or self-hosted) and verify that platform updates have been applied. For self-hosted environments, reviewing ServiceNow’s security maintenance guidance and patch status is crucial. Security teams should also enhance monitoring for administrative activity, unusual integrations, unexpected workflow modifications, and suspicious API behavior following the update.
The CVE record for CVE-2026-6875 is available on CVE.org, and further patch and maintenance information can be found in ServiceNow advisories KB2930717 and KB2930740. Prompt remediation remains the most effective defense against potential exploitation of this critical vulnerability.