- ServiceNow fixes API flaw which let unauthenticated attackers query some customer instance tables
- Issue mainly hit customers on the Australia release or older versions with custom configs
- Admins urged to review logs for /api/now/related_list_edit requests, especially from 51.159.98.241
ServiceNow has told some of its customers that cybercriminals were able to abuse a flaw in an API endpoint in an attemtpy to access their data.
In a support bulletin published on its customer support portal, the company said it had addressed an issue, “that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”
A fix was applied on June 5 2026, the bulletin said, which changed the API endpoint configuration to limit access just to authenticated users.
Affecting Australians
The company said that the attackers exploited the vulnerability to query customer instance tables but did not say what type of data they were able to access.
These instances usually store sensitive enterprise information such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.
However, that doesn’t mean this kind of information was accessed, nor that every exposed customer lost all of this data.
Further in the bulletin, the company said the issue primarily affected customers running the Australia platform release, as well as those on older releases with certain configuration changes.
“The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” ServiceNow warned.
The company says it has notified affected customers by opening support cases – terefore, if you are a ServiceNow customer without an open support case, consider your data safe.
Other administrators should take a look at their logs for requests to /api/now/related_list_edit, particularly from the IP address 51.159.98.241. They should also review exposed tickets and records for sensitive information, update passwords and tokens shared through support workflows, and make sure API logging is turned on.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-2560-80.jpg
Source link
