ServiceNow fixes API issue that allowed unauthorized instance table queries

ServiceNow has fixed a security issue that could allow unauthenticated access to some customer instances under specific conditions, with evidence that instance tables were successfully queried for a subset of customers.

The company applied a security update to hosted customer instances on June 5, 2026, according to a public ServiceNow Trust advisory. The update changed an endpoint configuration so access is limited to authenticated users.

The issue drew attention because ServiceNow instances often store sensitive enterprise data, including IT tickets, employee records, internal workflows, configuration details, asset inventories, and security operations information.

ServiceNow says affected customers were notified

ServiceNow said it detected anomalous activity related to the issue. For some customers, the company observed successful queries of instance tables and notified those customers through support cases.

BleepingComputer reported that ServiceNow’s customer bulletin said hosted instances received the update on June 5 and that the change was intended to restrict access to authenticated users only.

ServiceNow later stated that, based on its investigation so far, the observed activity appears attributable to security researchers or customer-led research. The company said the researchers advised that the activity was tied to bug bounty submissions and that no data was used or retained.

Issue	What is known	Why it matters
Affected platform	ServiceNow hosted customer instances under specific conditions	Instances can contain sensitive operational and business records.
Access type	Unauthenticated access was possible in certain circumstances	This could allow access beyond what ServiceNow intended.
Observed activity	Successful instance table queries for a subset of customers	Queried tables may contain internal data depending on the instance.
Fix date	June 5, 2026	ServiceNow changed the endpoint configuration.
Attribution	Likely security researchers or customer research, according to ServiceNow	The company has not confirmed criminal exploitation.

The issue was tied to an API endpoint

ServiceNow has not published full technical details for the issue. However, reports from administrators and security outlets point to a REST endpoint related to related list editing.

The reported endpoint path is /api/now/related_list_edit/create. Administrators discussing the issue said the endpoint may have been configured in a way that did not require authentication before the June 5 update.

SecurityWeek reported that the issue affected customers on the Australia platform release or those on older releases who made certain configuration changes. ServiceNow was also evaluating whether to assign a CVE.

• ServiceNow applied the hosted instance update on June 5, 2026.
• The issue involved an endpoint configuration change.
• Successful table queries were observed for a subset of customers.
• Affected customers were notified through support cases.
• ServiceNow later said the observed activity likely came from researchers, not criminal operators.

Why instance table access can be sensitive

ServiceNow tables can store records that support IT service management, HR workflows, customer service, security operations, asset tracking, procurement, and internal business automation.

Even if an exposed query does not directly reveal passwords, table data can still help an attacker understand internal systems, users, support processes, assets, incident histories, and integration points.

That type of information can become useful for phishing, social engineering, credential targeting, lateral movement planning, or abuse of internal workflows if it reaches the wrong hands.

Possible table data	Potential security concern
IT support tickets	May contain troubleshooting details, system names, or sensitive attachments.
Employee records	May expose names, roles, teams, contact details, or HR-related information.
Security incident records	May reveal investigations, affected systems, or internal response processes.
Configuration data	May expose workflows, integrations, business rules, or system relationships.
Asset inventories	May help map devices, applications, ownership, and environment structure.

Admins should review exposure and logs

Customers that received a support case from ServiceNow should treat the notification as the main source of instance-specific guidance. Organizations without a support case are not currently believed to be affected, according to the information reported from ServiceNow’s customer bulletin.

Admins should still review logs for suspicious API activity, especially if they run the Australia platform release or older releases with custom configuration changes.

BleepingComputer said administrators were advised to look for requests to /api/now/related_list_edit, particularly activity associated with the IP address 51.159.98.241.

• Check whether ServiceNow opened a support case for your organization.
• Review API and access logs for requests to related_list_edit endpoints.
• Look for unusual unauthenticated requests or table query patterns.
• Review exposed tickets and records for sensitive content.
• Rotate credentials, tokens, or secrets if they appeared in potentially exposed records.
• Confirm that API logging is enabled and retained long enough for investigation.

Access controls remain critical in ServiceNow

ServiceNow environments rely heavily on platform access controls. The official ServiceNow Access Control List rules documentation explains that ACL rules restrict access to data by requiring users to pass defined requirements before interacting with records.

This incident highlights why SaaS security teams need both vendor patching and internal configuration review. Even when the vendor fixes an endpoint issue, customers still need to understand which records may contain sensitive information and who can access them.

Security teams should review least-privilege access, integration accounts, exposed APIs, and permissions for tables that contain employee data, support cases, incident records, security data, or operational secrets.

Priority	Action	Reason
Immediate	Review any ServiceNow support case tied to this issue	ServiceNow says impacted customers were notified directly.
Immediate	Check logs for related_list_edit endpoint activity	This may reveal suspicious or research-related probing.
High	Review sensitive tickets and table records	Tickets can contain credentials, tokens, internal URLs, or troubleshooting details.
High	Rotate exposed secrets	Any credential stored in an exposed record should be considered at risk.
Planned	Audit ACLs and table permissions	Strong table and field controls reduce future data exposure risk.

ServiceNow says no broad customer action is required

ServiceNow has told customers that no action is required because it applied the security update to hosted customer instances. Still, security teams should not ignore direct notifications or suspicious log activity.

The public ServiceNow advisory also says the company is in contact with the researchers and believes the observed activity was tied to research rather than malicious use.

SecurityWeek noted that ServiceNow published a public advisory after initial reporting and clarified that the activity had been attributed to security researchers rather than attackers.

For admins, the safest path is to confirm whether their organization was notified, review API logs, examine any potentially exposed records, and use this incident as a reason to tighten ServiceNow table permissions.

Teams should also revisit the ServiceNow ACL documentation to validate how access rules apply to sensitive tables and fields across their instances.

FAQ