ServiceNow patched – ServiceNow says attackers used an unauthenticated access weakness tied to a vulnerable API endpoint to query customer instance tables. The company applied a security update on June 5, 2026, alerted impacted customers through support bulletins and direct cases
On June 5, 2026, ServiceNow applied a security update to hosted customer instances. The company says it was responding to a flaw that, in certain circumstances, could let an unauthenticated user gain greater access than intended.
ServiceNow did not announce the incident publicly in the open. Instead, it warned impacted customers through a support bulletin hidden behind ServiceNow’s customer support login portal, plus direct support cases opened after the company detected “anomalous activity” related to the issue.
The bulletin is blunt about what changed. “On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” it states. It adds that the update addressed “a security issue that could allow an unauthenticated user. in certain circumstances. to gain greater access to ServiceNow instances than intended.”.
ServiceNow says the fix changes the API endpoint configuration so access is limited to authenticated users only. The company also confirmed attackers exploited the flaw and successfully queried the customer instance tables.
What that could mean for customers is not spelled out in technical terms in the bulletin—ServiceNow did not disclose which data was accessed. But the company notes that customer instances commonly store sensitive enterprise information. That includes IT support tickets. employee records. internal documentation. asset inventories. security incident reports. workflow data. and configuration details for corporate systems and services.
For security teams. that breadth is the unsettling part: support workflows and troubleshooting content are often where credentials. API tokens. and authentication secrets end up. The advisory points out that support case information has become a popular target for threat actors. precisely because tickets can contain sensitive details shared during troubleshooting.
ServiceNow says it has now opened support cases with affected customers. If a customer has not received a case, ServiceNow says it is not believed to be affected.
Public technical details remain limited. ServiceNow has not publicly disclosed the underlying flaw. but administrators discussing the incident on Reddit say it appears tied to a REST endpoint at “/api/now/related_list_edit/create.” One commenter claimed that endpoint could have been configured with “requires_authentication=false. ” potentially allowing unauthenticated requests to access instance data. The same thread alleges the security update released on Friday was used to set “requires_authentication” to true.
Some administrators also shared what they were seeing in logs. Numerous admins reported indicators of compromise, including API requests originating from the IP address “51.159.98.241,” urging other administrators to review logs for requests to the vulnerable endpoint.
In its bulletin. ServiceNow says the issue primarily impacts customers on the Australia platform release or customers on older releases who made certain configuration changes. “The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia. ” the company warned.
ServiceNow says it is still evaluating whether it will publish a CVE for the issue.
Administrators are being advised to review ServiceNow logs for requests to “/api/now/related_list_edit. ” particularly from the IP address “51.159.98.241.” Impacted organizations are also told to review exposed tickets and records for sensitive information and rotate credentials or tokens shared through support workflows. while ensuring API logging is enabled.
ServiceNow security incident API vulnerability unauthenticated access customer instances anomalous activity support tickets credentials tokens /api/now/related_list_edit/create 51.159.98.241 CVE
So they fixed it but didn’t say anything publicly? Cool cool.
Wait, this was June 5th and it was behind a login portal… how are normal customers supposed to even know? Sounds like a data breach waiting to happen.
I don’t get it. If it was unauthenticated, doesn’t that mean anyone could just pull all the customer tables like Netflix passwords? Maybe they mean like “unauthenticated” as in not logged into the right thing? Either way, I’m sure someone got whatever was in the support tickets.
Hidden support bulletin is so shady. Also “anomalous activity” is such a vague phrase, like yeah something happened but no details lol. If they queried instance tables, that could include employee stuff and incident reports and all that. I bet companies will keep using it until another update, because nobody wants to patch the patch.