ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened

News
By published

A bug in an API endpoint was apparently abused

A pink triangle with a red exclamation mark inside on a blue digital landscape
(Image credit: Getty Images)
  • ServiceNow fixes API flaw which let unauthenticated attackers query some customer instance tables
  • Issue mainly hit customers on the Australia release or older versions with custom configs
  • Admins urged to review logs for /api/now/related_list_edit requests, especially from 51.159.98.241

ServiceNow has told some of its customers that cybercriminals were able to abuse a flaw in an API endpoint in an attemtpy to access their data.

In a support bulletin published on its customer support portal, the company said it had addressed an issue, “that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”

A fix was applied on June 5 2026, the bulletin said, which changed the API endpoint configuration to limit access just to authenticated users.

Latest Videos From

Affecting Australians

The company said that the attackers exploited the vulnerability to query customer instance tables but did not say what type of data they were able to access.

These instances usually store sensitive enterprise information such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.

However, that doesn’t mean this kind of information was accessed, nor that every exposed customer lost all of this data.

Further in the bulletin, the company said the issue primarily affected customers running the Australia platform release, as well as those on older releases with certain configuration changes.

"The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia," ServiceNow warned.

The company says it has notified affected customers by opening support cases - terefore, if you are a ServiceNow customer without an open support case, consider your data safe.

Other administrators should take a look at their logs for requests to /api/now/related_list_edit, particularly from the IP address 51.159.98.241. They should also review exposed tickets and records for sensitive information, update passwords and tokens shared through support workflows, and make sure API logging is turned on.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.