ServiceNow has disclosed a security issue that, under certain circumstances, could allow an unauthenticated user to gain unintended access to information stored in customer instances. The company applied a security update on June 5, 2026, after investigating reports submitted through both customer bug bounty programs and ServiceNow’s own bug bounty program.
According to ServiceNow, similar reports were submitted by customers on June 3-4, 2026, and matched a confidential bug bounty submission the company received on April 22, 2026. During its investigation, ServiceNow identified a subset of customer instances that experienced unattributed activity beginning on June 2, 2026.
While the company confirmed that some customer instances were successfully queried, it stated that its investigation currently indicates the activity may be attributable to security researchers or customers conducting their own security research.
ServiceNow emphasized that its investigation remains ongoing.
Why It Matters: ServiceNow is widely used by enterprises to manage IT operations, HR workflows, customer service processes, and business processes. Because customer instances can contain operational data, employee information, support records, asset inventories, and internal documentation, unauthorized access to those environments raises concerns about the exposure of sensitive business information.
- A subset of customer instances were successfully queried: ServiceNow confirmed that some customer instances were queried as part of the observed activity. The company has opened dedicated support cases for impacted customers and says customers affected by the activity have been notified directly.
- The issue involved unauthenticated access under certain circumstances: According to ServiceNow, the vulnerability could allow an unauthenticated user to gain unintended access to information in customer instances. The company has not publicly disclosed detailed technical information about the flaw.
- Researchers may have been responsible for the observed activity: ServiceNow stated that two security researchers submitted a report to its bug bounty program on June 7, 2026. Based on its investigation to date, the company has reason to believe the observed activity can be attributed to security researchers or customers conducting their own research, though the investigation remains ongoing.
- Researchers say they did not retain customer data: ServiceNow reported that the researchers involved confirmed the IP addresses used during their testing, stated they did not screenshot, use, or retain any successfully queried data, and indicated that queries were performed solely to validate their findings and submit bug bounty reports.
- Questions remain about the disclosure timeline: ServiceNow acknowledged receiving a similar confidential bug bounty submission on April 22, 2026, before additional reports surfaced in early June. The company has not publicly commented on claims circulating in online forums regarding earlier awareness of the vulnerability beyond the dates disclosed in its advisory.
Go Deeper -> ServiceNow data breach: security issue gives attacker access – Cybernews
ServiceNow discloses security incident exposing customer data – Bleeping Computer
ServiceNow Patches Vulnerability Exploited Against Some Customers – SecurityWeek
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.


