
ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Executive Summary:
A critical security flaw in ServiceNow was exploited in early June 2026, allowing unauthenticated attackers to access sensitive enterprise data. The vulnerability stemmed from a misconfigured API endpoint that bypassed authentication controls. Although initially reported through bug bounty submissions, evidence confirmed that a subset of customer instances was successfully queried before a patch was deployed. This marks the first confirmed case in recent months where attackers accessed data prior to remediation.
Key Takeaways:
- A misconfigured API endpoint allowed unauthenticated access to ServiceNow data.
- Attackers successfully queried customer instance tables before a patch was applied.
- The flaw affected specific platform releases and configurations, particularly related to the Australia release.
- This is the third major authentication-related vulnerability in ServiceNow within eight months.
Incident Overview:
Between June 2 and June 4, 2026, suspicious activity was detected across multiple ServiceNow customer environments. Reports submitted via bug bounty programs highlighted a vulnerability that allowed unauthenticated users to access instance data.
The root cause was a Scripted REST API endpoint configured with requires_authentication=false, effectively removing authentication checks. This allowed attackers to directly query backend tables without valid credentials.
ServiceNow identified the issue, notified affected customers, and deployed a security update on June 5, 2026. The company later confirmed that a subset of instances had been successfully accessed.

Scope and Type of Exposed Customer Data:
Although ServiceNow has not publicly disclosed exact data exposure, affected systems typically store highly sensitive enterprise information, including:
- IT service tickets and internal communications
- Employee and HR records
- Knowledge base articles and documentation
- Asset inventories and configuration data
- Security incident reports
- Credentials and API tokens embedded in tickets or attachments
Even limited access to such data could enable lateral movement into connected enterprise systems.
Targeted Country / Scope:
Customers using the Australia platform release
Customers on older releases with specific configuration changes
MITRE TTP:
- T1190 : Exploit Public-Facing Application
- T1078 : Valid Accounts
- T1040 : Network Sniffing is not supported by the evidence I found, so I would not include it here.
- T1087 : Account Discovery is also not clearly supported, so I would leave it out.
Targeted Vulnerabilitie:
As of right now, ServiceNow has not publicly assigned a standard CVE (Common Vulnerabilities and Exposures)
Indicators of Compromise (IOC):
Security teams should review logs for the following indicators:
- Suspicious API requests to:
/api/now/related_list_edit/create - Requests originating from IP address:
51.159.98.241 - Unusual or unauthenticated access patterns in instance tables
- Low-volume but consistent request patterns (approximately five requests per tenant)
Additionally, administrators should refer to ServiceNow guidance such as KB3067372 for self-hosted environments.
Conclusion:
This incident highlights the risks posed by misconfigured APIs in enterprise SaaS platforms. A single disabled authentication flag enabled attackers to bypass all access controls and query sensitive data directly. Unlike previous vulnerabilities, this flaw was exploited before remediation, underscoring the need for faster patch cycles, stricter configuration validation, and proactive monitoring.
Organizations using ServiceNow should immediately review logs, validate configurations, and ensure all security updates are applied. Continuous monitoring of API activity and strict access controls remain essential to preventing similar incidents in the future.