ServiceNow Discloses Security Incident — Attackers Exploited Unauthenticated API Endpoint to Query Customer Instance Data

ServiceNow has disclosed a security incident in which attackers exploited an unauthenticated access flaw in a vulnerable API endpoint to query data from customer instances. The company notified affected customers quietly — through a support bulletin gated behind its customer login portal and direct support cases — after detecting anomalous activity tied to the issue.

According to the bulletin, ServiceNow applied a security update to hosted customer instances on June 5, 2026, addressing a flaw that could allow an unauthenticated user, under certain circumstances, to gain greater access to instances than intended. The fix reconfigured the affected API endpoint to restrict access to authenticated users only. The company confirmed attackers had exploited the flaw to successfully query customer instance tables.

What's at Stake

ServiceNow did not disclose which data was accessed, but the platform's role makes the exposure significant. Customer instances routinely store IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems. Support case data in particular has become a prime target: tickets frequently contain credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting — the same category of data behind the ShinyHunters Salesforce/Drift thefts. An attacker querying instance tables is potentially harvesting exactly the secrets that enable follow-on intrusions.

The Technical Picture

ServiceNow has not published technical details, but administrators discussing the incident have converged on a likely culprit: a REST endpoint at /api/now/related_list_edit/create. According to admins, the endpoint was configured with requires_authentication=false, allowing unauthenticated requests to reach instance data, and the June 5 update set that flag to true. Administrators have also shared indicators of compromise, notably API requests originating from the IP address 51.159.98.241, and are advising peers to review logs for requests to the vulnerable endpoint.

The scope is configuration-dependent. ServiceNow states the issue primarily affects customers on the Australia platform release, or those on older releases who made certain configuration changes. The company has opened support cases with affected customers — and says that organizations which haven't received one are not believed to be impacted. ServiceNow is still evaluating whether to assign a CVE, and did not respond to press questions about how long the activity had been ongoing or whether data was confirmed stolen before publication.

Action Items

Affected organizations — and any ServiceNow customer on or before the Australia release — should review instance logs for requests to /api/now/related_list_edit, with particular attention to the IP address 51.159.98.241. Treat any tickets or records reachable through the endpoint as potentially exposed: audit them for sensitive content, and rotate any credentials, API tokens, or secrets that may have been shared through support workflows, since those are the highest-value items an attacker would extract. Confirm API logging is enabled going forward. Given that ServiceNow disclosed only through gated channels and hasn't confirmed the data accessed, organizations should not wait for a public CVE or detailed advisory before beginning credential rotation.