Cybersecurity Incident Analysis Jun 10, 2026 8 min read ← All posts

ServiceNow API Security Incident Exposes Customer Data: Analysis of Unauthenticated Access Vulnerability (June 2026)

ServiceNow API Security Incident Exposes Customer Data: Analysis of Unauthenticated Access Vulnerability (June 2026)

Executive Summary

On June 5, 2026, ServiceNow applied a security update to address a critical vulnerability in its hosted customer instances after detecting anomalous activity related to unauthenticated access via a misconfigured API endpoint. The flaw allowed unauthenticated users, under certain circumstances, to query sensitive data from customer instances. The incident primarily affected customers on the Australia platform release or those with specific configuration changes on older releases. ServiceNow notified impacted customers directly through support cases and confirmed that remediation was applied to all hosted instances. While the company has not disclosed the specific data accessed, customer instances typically contain sensitive enterprise information such as IT support tickets, employee records, and internal documentation. The investigation remains ongoing, with current evidence suggesting that the observed activity may be attributable to security researchers or customers conducting their own research. No malware or advanced tools were identified in the attack, and no evidence currently links the incident to known threat actors. Organizations are advised to review their logs for suspicious activity, rotate credentials or tokens exposed in support workflows, and ensure all API endpoints enforce proper authentication controls. For further questions, contact ops@rescana.com.

Technical Information

The security incident affecting ServiceNow was the result of an unauthenticated access flaw in a vulnerable API endpoint, specifically /api/now/related_list_edit/create. This endpoint was reportedly configured with requires_authentication=false, allowing unauthenticated HTTP requests to access sensitive data within customer instances. The flaw was present in the Australia platform release and in older releases where certain configuration changes had been made. The vulnerability was exploited between June 2 and June 3, 2026, with anomalous activity detected by ServiceNow and corroborated by multiple independent sources (BleepingComputer, Triskele Labs, National CIO Review).

The technical root cause was a misconfiguration in a Scripted REST Resource, where the requires_authentication parameter was set to false. This allowed unauthenticated users to send requests to the endpoint and query instance tables, potentially exposing sensitive data such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services. Support case data, which can include credentials, API tokens, and authentication secrets, was also at risk.

The security update applied by ServiceNow on June 5, 2026, changed the endpoint configuration to require authentication (requires_authentication=true), thereby mitigating the vulnerability. Indicators of compromise (IoCs) include API requests to /api/now/related_list_edit/create, activity from the IP address 51.159.98.241, and log entries attributed to the Guest user account. The incident was detected after ServiceNow observed anomalous activity in transaction logs, with some organizations reporting approximately five unauthorized hits per tenant.

No malware or custom exploitation tools were identified in this incident. The attack leveraged standard HTTP requests to exploit the misconfigured API endpoint. There is no evidence of exploitation frameworks or post-exploitation tools being used.

The attack method aligns with the MITRE ATT&CK framework as follows: - Initial Access: Exploit Public-Facing Application (T1190) – Attackers exploited a misconfigured public API endpoint to gain unauthorized access. - Collection: Data from Information Repositories (T1213) – Attackers queried instance tables to collect sensitive data. - Defense Evasion: Valid Accounts (T1078) – Activity appeared as the Guest user due to lack of authentication, complicating detection. - Discovery: Account Discovery (T1087) – Attackers may have enumerated accessible data via the API, though this is inferred and not directly confirmed.

The incident highlights the risks associated with misconfigured API endpoints in SaaS environments. Exploitation of unauthenticated or misconfigured APIs is a common attack vector, as seen in previous incidents involving other major vendors (Darktrace API Security, Equixly API Incidents, EclecticIQ Ivanti EPMM).

ServiceNow’s investigation suggests that the observed activity may be attributable to security researchers or customers conducting their own research, as indicated by bug bounty submissions and researcher statements. The company reported that researchers involved confirmed the IP addresses used during their testing and stated they did not retain any customer data. No technical indicators link this incident to known advanced persistent threat (APT) or cybercriminal groups.

The incident did not target any specific sector; rather, it was opportunistic, affecting organizations based on their platform configuration. ServiceNow is widely used across IT, HR, customer service, and business process management sectors, and the attack vector was not industry-specific.

Affected Versions & Timeline

The vulnerability primarily affected customers running the Australia platform release of ServiceNow and those on older releases who had made certain configuration changes. The issue was not confirmed to affect self-hosted deployments, and ServiceNow has not publicly released a dedicated patch for on-premises environments. The timeline of the incident is as follows:

  • April 22, 2026: ServiceNow receives a confidential bug bounty submission describing the vulnerability (National CIO Review).
  • June 2-3, 2026: Anomalous activity is detected in customer instances, with unauthorized queries observed (Triskele Labs).
  • June 3-4, 2026: Additional reports are submitted by customers and security researchers.
  • June 5, 2026: ServiceNow applies a security update to all hosted customer instances, changing the API endpoint configuration to require authentication (BleepingComputer).
  • June 7, 2026: Security researchers submit a report to ServiceNow’s bug bounty program.
  • June 9-10, 2026: Public disclosure of the incident by multiple sources.

ServiceNow notified affected customers directly through support cases. If a customer did not receive a notification, they are not believed to be affected by the incident.

Threat Activity

The threat activity involved exploitation of a misconfigured API endpoint that allowed unauthenticated access to customer instance data. The activity was detected through anomalous API requests, particularly to the /api/now/related_list_edit/create endpoint, and was associated with the IP address 51.159.98.241. Log entries attributed to the Guest user account were also identified as indicators of compromise.

ServiceNow’s investigation indicates that the activity may be attributable to security researchers or customers conducting their own research, rather than malicious threat actors. Researchers involved in the incident confirmed that they did not retain or misuse any customer data and that their actions were limited to validating the vulnerability for bug bounty submissions.

No evidence of malware, exploitation frameworks, or post-exploitation tools was found. The attack relied solely on standard HTTP requests to exploit the misconfigured API endpoint. The incident did not involve data destruction, ransomware, or other forms of impact beyond unauthorized data access.

The attack method is consistent with known patterns of exploiting unauthenticated or misconfigured API endpoints in cloud environments. Previous incidents involving similar attack vectors have targeted other major vendors, underscoring the importance of robust API security controls.

Mitigation & Workarounds

ServiceNow has already applied a security update to all hosted customer instances, enforcing authentication on the vulnerable API endpoint. No additional patching is required for customers using the vendor-hosted platform. However, organizations should take the following actions to ensure comprehensive mitigation and reduce residual risk:

Organizations should review transaction and node logs for any suspicious or unexpected API activity, particularly requests to /api/now/related_list_edit/create, activity from the IP address 51.159.98.241, and events attributed to the Guest user account around June 2-3, 2026. Where exposure or unauthorized access is suspected, organizations should rotate any credentials, API tokens, or secrets that may have been stored within records, tickets, or attachments accessible through the affected instance. Security teams should audit all Scripted REST API resources within their environment and verify that the requires_authentication setting is configured to true for all endpoints, with particular attention to older or legacy resources. Administrators should also ensure that Access Control List (ACL) enforcement is correctly configured, as authentication requirements and ACL enforcement operate independently within Scripted REST Resources. Where suspicious activity is identified, organizations should escalate through established incident response processes and preserve all relevant logs and artifacts for forensic analysis. ServiceNow logs should be forwarded to and actively monitored within a Security Information and Event Management (SIEM) platform to support timely detection and investigation.

Self-hosted customers should manually verify that the affected Scripted REST Resource enforces authentication and should not assume that protections have been automatically applied. If any endpoints are found with requires_authentication=false, immediate remediation is required to prevent unauthorized access.

References

https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/

https://www.triskelelabs.com/resources/servicenow-security-incident-unauthenticated-api-access-exposing-customer-data?hs_amp=true

https://nationalcioreview.com/articles-insights/extra-bytes/servicenow-addresses-security-flaw-following-unauthorized-activity/

https://www.darktrace.com/cyber-ai-glossary/api-security

https://equixly.com/blog/2025/09/08/2025-top-5-api-incidents/

https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, monitor, and mitigate risks associated with external vendors and SaaS providers. Our platform enables continuous assessment of vendor security posture, automated evidence collection, and real-time alerting on emerging threats relevant to your supply chain. For questions about this incident or to discuss how our capabilities can support your risk management program, contact us at ops@rescana.com.

Recent Posts

See All →
Active Exploitation of WinRAR CVE-2025-8088 by Russia-Aligned APTs Targets Ukrainian Government with Advanced Stealer Malware
Jun 9, 2026
Active Exploitation of WinRAR CVE-2025-8088 by Russia-Aligned APTs Targets Ukrainian Government with Advanced Stealer Malware
CISA Issues 3-Day Emergency Directive to Patch Check Point VPN Zero-Day (CVE-2024-24919) Amid Active Qilin Ransomware Exploitation
Jun 9, 2026
CISA Issues 3-Day Emergency Directive to Patch Check Point VPN Zero-Day (CVE-2024-24919) Amid Active Qilin Ransomware Exploitation
Nitrogen Ransomware Attack on Foxconn: Malvertising Threats, ESXi Vulnerability, and Supply Chain Risks in Manufacturing
Jun 9, 2026
Nitrogen Ransomware Attack on Foxconn: Malvertising Threats, ESXi Vulnerability, and Supply Chain Risks in Manufacturing