ServiceNow API Flaw Exposed Customer Data: Swift Patching Advised
ServiceNow has disclosed an incident where attackers exploited an unauthenticated access flaw in a vulnerable API endpoint. This allowed them to query sensitive data from customer instances. The company swiftly applied a security update on June 5, 2026, and advised affected customers to review logs for suspicious activity. Security teams are urged to review their ServiceNow configurations and ensure robust logging is enabled.
Summary
ServiceNow has alerted its users about an incident where attackers exploited an unauthenticated access flaw in one of its API endpoints. This vulnerability allowed unauthorized queries on customer instances, potentially exposing sensitive enterprise data such as IT support tickets and employee records. The company quickly applied a security update to mitigate the issue by restricting endpoint access to authenticated users only.
What Happened
The incident began when ServiceNow detected anomalous activity linked to an unauthenticated access flaw in its API endpoint configuration. This vulnerability allowed attackers to query customer instance tables without proper authentication. While specific data accessed remains undisclosed, these instances typically contain sensitive information like IT support tickets and employee records. The company responded by issuing a security update on June 5, 2026, which altered the API endpoint settings to require authenticated access.
Technical Details
The vulnerability appears to be associated with a REST endpoint at /api/now/related_list_edit/create, configured without authentication (requires_authentication=false). This misconfiguration allowed unauthenticated requests to access instance data. ServiceNow's security update corrected this by setting requires_authentication to true, thereby restricting endpoint access.
Affected Products and Fixed Versions
The issue primarily impacts customers using the Australia platform release of ServiceNow or those on older releases who made specific configuration changes. The company has advised these users to review their logs for requests to /api/now/related_list_edit, particularly from suspicious IP addresses like 51.159.98.241.
Exploitation Status
ServiceNow confirmed that attackers successfully exploited this flaw, although they have not disclosed the extent of data accessed. The company is still evaluating whether a CVE will be published for this issue.
Indicators of Compromise
Administrators should look for API requests from IP address 51.159.98.241 and review logs for requests to the vulnerable endpoint /api/now/related_list_edit/create. This can help identify potential unauthorized access attempts.
Detection Opportunities
Security teams are encouraged to enable comprehensive logging on their ServiceNow instances to detect similar anomalies in the future. Regular audits of API configurations should be conducted to ensure that endpoints requiring sensitive data access are properly secured with authentication requirements.
Defender Guidance
- Review Logs: Immediately review logs for requests to
/api/now/related_list_edit/create, especially from IP address51.159.98.241. - Update Configurations: Ensure all API endpoints require authenticated access, particularly those handling sensitive data.
- Enable Logging: Activate detailed logging on ServiceNow instances to capture and analyze potential unauthorized access attempts.
- Audit Regularly: Conduct regular audits of API configurations to prevent similar vulnerabilities from being exploited.
By following these steps, organizations can better protect their ServiceNow environments against unauthorized access and potential data exposure.
Sources
