ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.
The company quietly warned impacted customers through a support bulletin and direct support cases after detecting “anomalous activity” related to the issue.
The bulletin, which is hidden behind ServiceNow’s customer support login portal, states that the company applied a security update to hosted customer instances on June 5, 2026.
“On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” reads the support bulletin.
“The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”
The company says this security update changes the API endpoint configuration to limit access to authenticated users only.
ServiceNow also confirmed that attackers exploited this flaw to successfully query the customer instance tables.
While ServiceNow did not disclose which data was accessed during the attacks, instances commonly store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.
Support case information has become an increasingly popular target for threat actors, as tickets can contain credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting.
According to the advisory, ServiceNow has now opened support cases with affected customers. If a customer has not received one, they are not believed to be affected by the incident.
While ServiceNow has not publicly disclosed technical details about the flaw, administrators discussing the incident on Reddit say the issue appears to be tied to a REST endpoint at ‘/api/now/related_list_edit/create‘.
One commenter claimed the endpoint was configured with ‘requires_authentication=false‘, potentially allowing unauthenticated requests to access instance data. The security update released on Friday was allegedly used to set requires_authentication to true.
Numerous admins shared indicators of compromise, including API requests from the IP address ‘51.159.98.241,’ advising other administrators to review logs for requests to the vulnerable endpoint.
The bulletin states the issue primarily impacts customers running the Australia platform release or customers on older releases who made certain configuration changes.
“The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” ServiceNow warned.
BleepingComputer contacted ServiceNow earlier today after a reader alerted us to the incident, asking how long the activity had been ongoing, what caused the issue, and whether customer data had been stolen. We did not receive a response before publication.
ServiceNow says it is still evaluating whether it will publish a CVE for the issue.
Administrators are advised to review ServiceNow logs for requests to /api/now/related_list_edit, particularly from the IP address 51.159.98.241.
Impacted organizations should review exposed tickets and records for sensitive information, rotate credentials or tokens shared through support workflows, and ensure API logging is enabled.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
