ServiceNow has recently confirmed a new security vulnerability that could provide hackers with remote, unauthenticated access to customer data.
Individual customers have been warned via a support bulletin, and ServiceNow has raised direct support tickets with customers it believes to be affected. An update has been released that resolves the specific issue.
It is currently unclear whether this vulnerability has been exploited. ServiceNow confirmed detecting ‘anomalous activity’ related to the breach, which some outlets had assumed to mean that hackers had exploited the vulnerability.
But in a more recent update, ServiceNow has shared the following message: “Based on our investigation to date, we believe the observed activity is attributable to security researchers or customer research”.
What Do We Know About the New ServiceNow Vulnerability?
ServiceNow has confirmed the following statement directly with NowBen:
“ServiceNow recently applied a security update to hosted customers. The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended. We notified affected customers directly with next steps and guidance.”
Customers have been notified of the issue over the last few days, and an update was issued last Friday. The vulnerability was first reported by Bleeping Computer after being discussed on a ServiceNow-specific Reddit thread.
To understand the issue in more detail, NowBen spoke to Cory Michal, Chief Information Security Officer at AppOmni. He said, “The issue involved an unauthenticated, internet-facing ServiceNow API endpoint that existed on tenants with specific versions and configurations.”
He goes on to warn that, “Anyone who knew the endpoint URL and how to structure the request could access data from the affected ServiceNow tenant without authenticating first”.
Michal’s assessment correlates closely with discussions on Reddit and covered in Bleeding Computer, which suggest the following situation:
- The vulnerability would allow an unauthenticated user to gain access to certain ServiceNow instances.
- Administrators discussing the situation suggest it’s tied to a REST endpoint at /api/now/related_list_edit/create and that the endpoint was configured with ‘requires_authentication=false’.
- This provided unauthenticated access to potentially malicious actors. The update has reportedly since changed this from ‘false’ to ‘true’, thereby requiring authentication as normal.
- No official CVE has been released for the vulnerability, and it is currently unclear whether one will be.
However, ServiceNow has avoided discussing or confirming specific details about the vulnerability.
Did Hackers Exploit the Vulnerability?
Initial reports suggested that hackers had exploited the vulnerability to make unauthorized queries to customer instance tables. However, more recent updates suggest this information is associated with security researchers, not hackers. This information was shared directly with NowBen by a ServiceNow spokesperson.
Nonetheless, there’s no guarantee that the vulnerability hasn’t been successfully exploited by hackers. Indeed, another security expert suggests there are still unanswered questions:
“At least one system publicly associated with exploitation of this vulnerability also appears to have targeted tenants of other SaaS platforms with similar unauthenticated-access weaknesses,” said Cory Michal.
He went on to say that “while researcher activity clearly occurred, I would be cautious about saying all observed activity was benign research until the investigation is complete.”
Does the Vulnerability Affect You?
If you’re affected by the vulnerability, you should have been contacted directly by ServiceNow already. Customers with any questions are encouraged to contact the ServiceNow Technical Support team or file a formal support request.
Security specialists discussing the situation (via Reddit) have suggested that suspicious activity has been associated with the IP address 51.159.98.241, and the resource /api/now/related_list_edit. In these discussions, the specialist advised people to check for evidence of this indicator of compromise (IOC) in their ServiceNow instance.
According to Cory Michal, there are now several steps customers should take to safeguard their organization:
- Verify that the June 5 security update has been applied. Self-hosted customers should follow ServiceNow’s guidance in KB3067372 to ensure they have applied the appropriate update or mitigation.
- Search for evidence of exploitation. Review ServiceNow access and transaction logs for the known indicator of compromise (IOC), unauthenticated requests to the affected API endpoint, and unusual table or field queries, ideally covering at least the last 90 days.
- Determine what data was accessed if any suspicious activity is found. Treat this like an incident investigation, not just a patching exercise.
Final Thoughts
ServiceNow was first made aware of the vulnerability due to submissions to its ‘Bug Bounty’ program, on April 22, 2026. This is an invite-only program designed to reward security researchers for identifying and reporting vulnerabilities to ServiceNow, so they can be fixed before hackers discover them.
According to ServiceNow’s recent bulletin, similar reports were subsequently submitted on June 2, 2026, and June 7, 2026. The anomalous activity (that ServiceNow says is security researchers) was identified on June 2, 2026.
This seems to confirm concerns on Reddit and elsewhere that ServiceNow had known about the issue since April. Reportedly, ServiceNow was planning on fixing it in the upcoming Brazil release in late 2026. Instead, the thread suggests that the anomalous activity reported by customers last week led to an update being released earlier than planned.