ServiceNow Discloses Security Incident Exposing Customer Data via API Flaw
ServiceNow has revealed a security incident where attackers exploited an unauthenticated API endpoint vulnerability, leading to unauthorized access and querying of customer data.
ServiceNow is alerting its customers to a security incident that occurred due to attackers exploiting a flaw in an unauthenticated API endpoint. This vulnerability allowed unauthorized actors to query data from customer instances, prompting the company to issue a warning through support bulletins and direct customer cases.
The company detected "anomalous activity" related to the issue and responded by applying a security update to its hosted customer instances on June 5, 2026. This update specifically targeted the API endpoint, reconfiguring it to restrict access exclusively to authenticated users. ServiceNow confirmed that the attackers successfully leveraged this vulnerability to query tables within customer instances before the patch was deployed.
While ServiceNow has not publicly detailed the specific types of data accessed, instances of the platform commonly store highly sensitive enterprise information. This can include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and detailed configuration data for corporate systems and services. The exposure of support case information is particularly concerning, as these tickets can inadvertently contain credentials, API tokens, and other authentication secrets shared during troubleshooting processes.
Administrators discussing the incident on platforms like Reddit have pointed to a specific REST endpoint, '/api/now/related_list/create', as the likely vector. Reports suggest this endpoint was initially configured with 'requires_authentication=false', enabling unauthenticated requests to access instance data. The security update deployed by ServiceNow reportedly corrected this by setting 'requires_authentication' to true.
Indicators of compromise (IOCs) have emerged, with administrators sharing API requests originating from the IP address '51.159.98.241'. They are advising other administrators to meticulously review their logs for any suspicious requests directed at the vulnerable endpoint. The bulletin also notes that the issue primarily affected customers on the Australia platform release or those on older releases who had implemented specific configuration changes.
ServiceNow is currently evaluating whether to assign a CVE identifier to this vulnerability. In the interim, administrators are strongly advised to examine their ServiceNow logs for any activity related to the '/api/now/related_list/edit' endpoint, paying close attention to requests from the identified malicious IP address. Organizations confirmed to be impacted should review any exposed tickets and records for sensitive information, rotate any credentials or tokens that may have been shared through support workflows, and ensure robust API logging is enabled for future monitoring.
The full scope and impact of the data exposure are still under investigation by ServiceNow. The company has stated that if a customer has not received a support case notification, they are not believed to be affected by this particular incident. The incident underscores the critical importance of securing API endpoints and the potential risks associated with unauthenticated access to sensitive enterprise data.