ServiceNow discloses unauthenticated API flaw that let attackers query customer instance data
ServiceNow disclosed that a misconfigured, unauthenticated REST API endpoint allowed actors to query data from hosted customer instances, an issue the company patched on 5 June but did not publish a (login-gated) advisory for until days later.
- Victim
- ServiceNow
On 9 June 2026, ServiceNow β the Santa Clara enterprise software firm whose workflow platform underpins IT, HR, and customer-service operations at thousands of large organisations β disclosed a security incident in which actors had exploited an unauthenticated REST API endpoint to query data from hosted customer instances. The company applied a fix on 5 June but only posted an advisory, KB3067321, days later, and that bulletin sits behind a customer support-portal login.
What happened
Reporting attributes the issue to a Scripted REST Resource reachable at /api/now/related_list_edit/create that was deployed with its authentication requirement disabled (requires_authentication=false). That misconfiguration let a request without credentials query customer instance tables β potentially reaching data held by multiple tenants. Observed activity against customer instances is reported to trace back to around 2β3 June 2026, before ServiceNow pushed its security update to hosted instances on 5 June.
ServiceNow stated it believes the observed activity was likely tied to security researchers or customer-led research associated with bug-bounty submissions rather than malicious threat actors. The company had received a confidential bug-bounty report describing a similar issue on 22 April 2026 β roughly six weeks before the patch was applied.
Impact
- An unauthenticated API endpoint that could be used to query data from hosted customer instances, with cross-tenant exposure reported as the central risk.
- ServiceNow patched hosted instances on 5 June 2026 and characterises the activity as likely research-related rather than confirmed malicious exploitation.
- The advisory (KB3067321) is gated behind a support-portal login, which several outlets noted left customers slow to learn of the exploited flaw.
Why it matters
ServiceNow sits at the centre of back-office automation for governments and large enterprises, so an unauthenticated path into instance data is a high-value target regardless of who first walked through it. The episode is a reminder of two recurring failure modes in SaaS security: a single mis-set authentication flag on one REST resource can undo the platform's tenant isolation, and login-gated advisories slow the very customers who most need to assess their exposure. Even where a vendor assesses the activity as likely benign research, the window between the original bug-bounty report and the fix β about six weeks β is the interval that matters to defenders.
Timeline
ServiceNow receives a confidential bug-bounty submission describing a similar unauthenticated-access issue.
Observed activity querying customer instances via the vulnerable endpoint begins, per reporting (around 2β3 June).
ServiceNow applies a security update to hosted customer instances.
ServiceNow publishes advisory KB3067321 about the incident; the bulletin requires a customer support-portal login to read.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/
- techtimes.comhttps://www.techtimes.com/articles/318166/20260610/servicenow-data-breach-gated-advisory-left-customers-unaware-exploited-zero-auth-api.htm
- socradar.iohttps://socradar.io/blog/servicenow-breach-customer-api-access/
- triskelelabs.comhttps://www.triskelelabs.com/resources/servicenow-security-incident-unauthenticated-api-access-exposing-customer-data
- rescana.comhttps://www.rescana.com/post/servicenow-api-security-incident-exposes-customer-data-analysis-of-unauthenticated-access-vulnerability-june-2026