Security
ServiceNow unauthenticated API access exploited against customer instances
- Category: Security
- Status: confirmed
- Sources: BleepingComputer, TechTimes
- Summary: ServiceNow disclosed on 2026-06-10 that attackers accessed customer instance data between 2026-06-02 and 2026-06-03 via the REST endpoint
/api/now/related_list_edit/create, which was configured without authentication on affected instances. The incident primarily affected customers on the Australia platform release. ServiceNow had received a bug bounty submission describing the issue on 2026-04-22 but applied a server-side patch only on 2026-06-05, after external exploitation was detected. No CVE has been assigned. ServiceNow attributed the activity to security researchers rather than malicious threat actors, though customer instance data was queried. - Why it matters: Self-managed ServiceNow instances should audit REST endpoints for authentication requirements; hosted SaaS customers require no action as the fix was applied server-side.