ServiceNow has disclosed a security incident involving a vulnerability that allowed unauthorized users to gain broader access to customer instances than intended. The company says it applied a security update on June 5, 2026, to address the issue and has begun notifying customers whose environments showed evidence of successful unauthorized queries.
According to customer advisories, the flaw appears to have involved a misconfigured endpoint that permitted unauthenticated access under certain conditions.
While ServiceNow has confirmed anomalous activity and successful queries against customer instance tables, it has not publicly disclosed the total number of affected organizations or the specific types of data accessed.
Why It Matters: ServiceNow is widely used by enterprises to manage IT operations, HR workflows, customer service processes, and internal business systems. A vulnerability affecting customer instances could expose sensitive operational information, employee data, support records, infrastructure details, and other business-critical assets.
- Unauthorized access was confirmed: ServiceNow acknowledged that attackers were able to perform successful queries against customer instance tables in a subset of environments. The company has notified affected customers through support cases and says customers who did not receive notifications are not currently believed to be impacted.
- The issue appears linked to endpoint authentication settings: Reports from administrators and security researchers suggest a REST API endpoint may have been configured in a way that allowed unauthenticated access. ServiceNow’s fix reportedly changed endpoint behavior to require authentication before access is granted.
- Certain platform versions were more exposed: The company stated that the vulnerability primarily affected customers running the Australia platform release or those who had applied specific configuration changes on earlier releases. This suggests exposure depended on both software version and configuration state.
- Questions remain about prior knowledge of the flaw. Multiple administrators on Reddit claimed ServiceNow had been informed about the issue earlier and may have been aware of related concerns since April 7, 2026. ServiceNow has not publicly confirmed those allegations, leaving uncertainty around the timeline between discovery and remediation.
- Potentially sensitive enterprise data may have been accessible. Although ServiceNow has not detailed what information was queried, customer instances often contain support tickets, employee records, workflow information, asset inventories, incident reports, internal documentation, and occasionally credentials or tokens shared during troubleshooting processes.
Go Deeper -> ServiceNow data breach: security issue gives attacker access – Cybernews
ServiceNow discloses security incident exposing customer data – Bleeping Computer
ServiceNow Patches Vulnerability Exploited Against Some Customers – SecurityWeek
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
