Attackers exploited an unauthenticated access vulnerability in a ServiceNow API endpoint ('/api/now/related_list_edit/create') that was configured to allow unauthenticated requests, enabling them to query data from customer instances. ServiceNow detected anomalous activity and applied a security update on June 5, 2026, to require authentication for this endpoint. The breach exposed sensitive customer data stored in ServiceNow instances, including IT support tickets and internal corporate information. The vulnerability mainly affected customers on the Australia platform release or those with specific configuration changes on earlier releases. ServiceNow has notified affected customers through direct support cases and is evaluating whether to publish a CVE.

Unauthorized actors were able to access and query data from customer instances, potentially exposing sensitive enterprise information such as IT support tickets, employee records, internal documentation, asset inventories, and security incident reports. This exposure could lead to further risks if credentials, API tokens, or authentication secrets contained in support tickets were accessed. The breach impacts confidentiality of customer data hosted on ServiceNow instances.

ServiceNow applied an official security update on June 5, 2026, that changes the API endpoint configuration to require authentication, mitigating the vulnerability. Impacted customers have been notified via support cases. Customers who have not received notification are not believed to be affected. Administrators should verify that their instances have received the update and review logs for any suspicious requests to the vulnerable endpoint. No additional immediate action is required beyond applying the update and monitoring for indicators of compromise.