ServiceNow Confirms API Flaw Exposed Customer Data via Unauthorized Access, Already Exploited in the Wild

Event Overview

ServiceNow announced that attackers leveraged an unauthenticated Scripted REST API endpoint /api/now/related_list_edit/create to query sensitive tables in customer instances. The vulnerability stemmed from the endpoint’s requires_authentication flag being set to false, allowing any request to be processed without a valid session or token.

Security researchers traced malicious activity to the period of 2–3 June 2026, with evidence suggesting the attackers had been probing the endpoint for roughly two months prior. The attacks originated from IP address 51.159.98.241 and were executed under the Guest user identity, making the activity appear as normal traffic in transaction logs.

ServiceNow applied a security update on 5 June 2026 for hosted customers, changing the flag to true to enforce authentication.

Impact Scope and Data Types

The breach primarily affects customers using the Australia platform release and older versions with the misconfiguration. The platform stores a range of sensitive data, including:

IT support tickets : fault descriptions, resolution steps, internal discussions, often containing credentials and API keys.

Employee records : personal information and organizational hierarchy.

Internal knowledge‑base articles : technical documentation and operation manuals.

Security incident reports : records of vulnerabilities and intrusions.

Workflow configurations : business approval processes and automation rules.

Asset inventory : details of IT devices, applications, and configuration data.

Compromise of these data could enable lateral movement or privilege escalation for the attackers.

Root‑Cause Analysis

The core issue is the Scripted REST Resource being deployed with requires_authentication=false, violating the defense‑in‑depth principle by omitting a critical authentication layer. This allowed attackers to craft specific API calls that bypassed all access controls and directly queried backend tables.

This incident is the third high‑severity vulnerability disclosed by ServiceNow in the past eight months:

CVE‑2025‑12420 (fixed 30 Oct 2025): privilege escalation in AI‑enhanced features.

CVE‑2026‑0542 (fixed Jan–Feb 2026): remote code execution threat.

The current vulnerability, confirmed exploited, differs because the previous two were patched before any known exploitation.

Detection and Response Recommendations

Immediate Actions for Hosted Customers

Hosted customers do not need to apply a manual patch; ServiceNow has already deployed the fix. However, they should:

Confirm impact : log into the ServiceNow support portal and verify receipt of a related support case notification.

Review access logs : examine logs from early June 2026 for API calls from unexpected IPs, especially those using the Guest user. Look for entries such as:

Endpoint: /api/now/related_list_edit/create
Source IP: 51.159.98.241
Time range: 2026‑06‑02 to 2026‑06‑03
User: Guest

Check for data leakage : verify whether support tickets contain credentials, API keys, or other sensitive information and assess exposure risk.

Considerations for Self‑Hosted Deployments

Self‑hosted administrators should manually inspect all Scripted REST API resources and ensure the requires_authentication parameter is set to true.

Proactive Defense Measures

API resource audit : review every Scripted REST API, focusing on legacy or custom resources, to confirm proper authentication settings.

Principle of least privilege : restrict API access to the minimum required data sets.

Log monitoring : create alerts for anomalous API activity, such as high‑frequency or cross‑table queries.

Credential rotation : rotate any credentials that may have been exposed in support tickets.

Conclusion

The ServiceNow API flaw underscores the security risks inherent in SaaS platforms: a single configuration error can expose vast amounts of sensitive data across many customers. For enterprises relying on ServiceNow, the incident highlights the need for continuous verification of authentication mechanisms, vigilant log analysis, and rapid incident response.

© ServiceNow API security vulnerability diagram