Attackers exploited an unauthenticated access flaw in a ServiceNow REST API endpoint ('/api/now/related_list_edit/create') that was configured to allow unauthenticated requests, enabling them to query data from customer instances. The vulnerability was present primarily in customers running the Australia platform release or those with specific configuration changes on older releases. ServiceNow applied a security update on June 5, 2026, changing the endpoint configuration to require authentication, thereby limiting access. The company has notified impacted customers and is evaluating whether to publish a CVE. The exposed data may include sensitive enterprise information commonly stored in ServiceNow instances.

The vulnerability allowed unauthenticated attackers to query customer instance data, potentially exposing sensitive enterprise information such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details. This could lead to unauthorized disclosure of confidential corporate information and credentials contained in support tickets. The incident affected customers on the Australia platform release or with certain configuration changes on older releases. ServiceNow has confirmed exploitation occurred but has not disclosed the full extent of data accessed.

ServiceNow applied an official security update on June 5, 2026, to require authentication on the vulnerable API endpoint, effectively mitigating the issue. Customers impacted have been notified via support cases. Administrators are advised to verify that their instances have received this update and to review logs for suspicious API requests to the endpoint '/api/now/related_list_edit/create', especially from the IP address '51.159.98.241'. If a customer has not received a support case from ServiceNow, they are not believed to be affected. No further action is required beyond ensuring the update is applied.