Cloud computing giant **ServiceNow** has confirmed a security incident involving an exploited vulnerability that granted unauthorized access to customer instances. The company deployed an urgent security update on June 5, 2026, to address the flaw. "The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended," **ServiceNow** stated in an advisory, which requires customer access for full details.  ### Vulnerability Details Emerge The vulnerability, which currently lacks a **CVE** identifier, first came to public attention via a **Reddit** discussion. The security update modified an endpoint configuration to restrict this elevated access to authenticated users only. **ServiceNow** reported detecting anomalous activity related to the issue, observing successful queries of instance tables against a "subset of customers." Impacted customers have been directly notified. ### Targeted Instances and Prior Knowledge According to **ServiceNow**, the security issue primarily affected customers on the "Australia platform release" or those who had made specific configuration changes to instances on earlier releases. Intriguingly, a **Reddit** user named "d3s7iny" claimed their security team had reported the vulnerability to **ServiceNow**, alleging that the company had been aware of the problem since April 7, 2026. For approximately two months, the issue was reportedly classified as non-urgent, with remediation slated for a future update. ### Confirmed Exploitation and Bug Bounty Submissions **ServiceNow** has since publicly acknowledged the incident, confirming that "a subset of customer instances were queried successfully as part of this activity." Malicious activity reportedly began on June 2, 2026. The company's advisory further noted, "On June 3-4, 2026, customers shared submissions to their bug bounty programs regarding a security issue that could, in certain circumstances, allow an unauthenticated user to gain unwanted access to information in **ServiceNow** instances. These submissions were similar to a confidential submission sent to our bug bounty program on April 22, 2026." A **ServiceNow** spokesperson emphasized that their "main priority was to reach out directly to the subset of customers this [incident] affected, it was not broad."