ServiceNow Warns Customers After Attackers Exploit API Security Flaw
ServiceNow has alerted customers to a security incident involving the exploitation of an API vulnerability that allowed unauthenticated users to access and query data from affected customer instances.
The company notified impacted organizations through a support bulletin and direct support cases after identifying what it described as "anomalous activity" associated with the issue.
According to the advisory, ServiceNow deployed a security update to hosted customer instances on June 5, 2026.
"On June 5, 2026, ServiceNow applied a security update to hosted customer instances. The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended."
The update modifies the affected API endpoint configuration to restrict access exclusively to authenticated users.
ServiceNow confirmed that threat actors successfully exploited the vulnerability to query customer instance tables. However, the company has not disclosed the specific types of data that may have been accessed.
Because ServiceNow environments often contain sensitive enterprise information, the potential exposure could include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and system configuration details.
Support Data Remains a High-Value Target
Support and service management platforms continue to attract significant interest from threat actors. Support tickets frequently contain sensitive information such as credentials, API keys, authentication tokens, troubleshooting notes, and internal documentation that can facilitate further compromise.
ServiceNow stated that it has opened support cases with customers believed to be affected by the incident. Organizations that have not received a notification are not currently believed to be impacted.
Possible Technical Details Emerge
Although ServiceNow has not publicly released technical details about the vulnerability, discussions among administrators suggest the issue may be linked to the REST API endpoint:
/api/now/related_list_edit/create
Several administrators reported that the endpoint may have been configured with requires_authentication=false, potentially allowing unauthenticated requests to retrieve data from customer instances. The June 5 security update reportedly changed this setting to require authentication.
Administrators have also shared indicators of compromise (IOCs), including requests originating from the IP address:
51.159.98.241
Organizations are being encouraged to review logs for activity involving both the vulnerable endpoint and the identified IP address.
Who Is Affected?
According to ServiceNow, the issue primarily impacts customers running the Australia platform release, as well as organizations using earlier releases that implemented specific configuration changes.
"The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia."
At the time of publication, ServiceNow had not publicly disclosed how long the malicious activity had been occurring, the root cause of the vulnerability, or whether any customer data had been exfiltrated. The company is also evaluating whether a CVE identifier will be assigned to the issue.
Recommended Actions for Administrators
Organizations using ServiceNow should take the following steps:
Review instance logs for requests to /api/now/related_list_edit.
Investigate activity associated with the IP address 51.159.98.241.
Assess exposed tickets, records, and workflow data for sensitive information.
Rotate any credentials, API keys, or authentication tokens that may have been shared through support workflows.
Verify that API logging and monitoring are enabled to support ongoing investigation and detection efforts.
As ServiceNow continues its investigation, customers are encouraged to closely monitor their environments and follow any additional guidance provided through official support channels.
