Black & White Path

Jun 11, 2026 · Information Security

ServiceNow Confirms API Flaw Exposed Customer Data via Unauthorized Access, Already Exploited in the Wild

ServiceNow disclosed that a misconfigured Scripted REST API endpoint (/api/now/related_list_edit/create) allowed unauthenticated queries to sensitive tables, was actively exploited in early June 2026, affecting hosted customers on the Australia release and older versions, prompting an emergency patch and detailed detection and response guidance.