Back

ServiceNow Data Breach Exposes Customer Data via API Vulnerability

Severity: High (Score: 69.0)

Sources: Cybernews, Bleepingcomputer

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: servicenow, data, security, customer, access, incident, attackers

Severity indicators: issue, security issue, breach, data breach

Summary

ServiceNow disclosed a security incident on June 5, 2026, where attackers exploited an unauthenticated access flaw in a vulnerable API endpoint, allowing them to query customer data. The company issued notifications to affected customers after detecting anomalous activity. The security update applied on June 5 aimed to restrict access to authenticated users only. The breach primarily impacts customers on the Australia platform release or those with specific configuration changes on older releases. Although ServiceNow has not detailed the data accessed, it is known that sensitive enterprise information, including IT support tickets and employee records, could be at risk. Users on forums have speculated that ServiceNow may have been aware of the vulnerability since early April 2026. The company has opened support cases with affected customers, but the full scope of the impact remains unclear. Key Points: • ServiceNow suffered a data breach due to an unauthenticated API access flaw. • The incident affects customers on the Australia platform release and older versions. • Sensitive data, including IT support tickets and employee records, may have been exposed.

Detailed Analysis

**Impact** ServiceNow customers using the Australia platform release or earlier versions with certain configuration changes were affected by unauthorized access to their instances. The breach exposed sensitive enterprise data, including IT support tickets, employee records, internal documentation, asset inventories, and security incident reports. The exact number of impacted customers is unknown, but ServiceNow has contacted those affected. The incident potentially affects large corporations across multiple sectors relying on ServiceNow’s IT service management platform. **Technical Details** Attackers exploited a misconfigured REST API endpoint (`/api/now/related_list_edit/create`) that allowed unauthenticated access due to the setting `requires_authentication=false`. This vulnerability enabled unauthorized querying of customer instance tables. The flaw primarily impacted instances running the Australia release or earlier versions with specific configuration changes. Indicators of compromise include API requests originating from IP address `51.159.98.241`. ServiceNow applied a security update on June 5, 2026, to require authentication on the endpoint. No CVE has been assigned yet. **Recommended Response** Apply the security update released by ServiceNow on June 5, 2026, which enforces authentication on the vulnerable API endpoint. Review logs for requests to `/api/now/related_list_edit/create`, especially from IP `51.159.98.241`, and investigate any anomalous activity. Affected organizations should audit exposed tickets and records for sensitive information, rotate credentials or tokens shared via support workflows, and ensure API logging is enabled. Monitor for further communications from ServiceNow regarding CVE publication and additional mitigations.

Source articles (2)

  • ServiceNow discloses security incident exposing customer data — Bleepingcomputer · 2026-06-09
    ServiceNow is warning a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances. The company q…
  • ServiceNow data breach: security issue gives attacker access — Cybernews · 2026-06-10
    American software behemoth ServiceNow has disclosed a “security incident” that allowed attackers to access customer data. The company says it pushed an update to secure hosted customer instances. User…

Timeline

  • 2026-04-07 — ServiceNow reportedly aware of vulnerability: Internal records indicated that ServiceNow knew about the vulnerability since early April but did not classify it as a threat.
  • 2026-06-05 — Security update applied to hosted customer instances: ServiceNow applied a security update to address the unauthenticated access flaw affecting customer data.
  • 2026-06-09 — ServiceNow discloses security incident: ServiceNow publicly acknowledged the security incident, warning customers about the exposure of their data.
  • 2026-06-10 — Cybernews reports on customer concerns: Customers expressed concerns that ServiceNow may have known about the issue for months prior to disclosure.

Related entities

  • Data Breach (Attack Type)
  • ServiceNow (Company)
  • Australia (Country)
  • Brazil (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Now Assist AI Agents (Platform)
  • Virtual Agent API (Platform)
  • BodySnatcher (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed