**ServiceNow**, a leading digital workflow company, has confirmed a security incident involving the exploitation of an unauthenticated API endpoint. The vulnerability allowed unauthorized actors to query data from customer instances, raising concerns about the exposure of sensitive enterprise information. ### Silent Disclosure and Remediation The company quietly addressed the issue, informing impacted customers through a support bulletin and direct support cases. This action followed the detection of "anomalous activity" linked to the flaw. A security update was applied to hosted customer instances on June 5, 2026. According to the internal bulletin, the update specifically addressed a security issue that could grant an unauthenticated user unintended access to **ServiceNow** instances. The core of the fix involved reconfiguring the affected API endpoint to restrict access to authenticated users only. ### Exploitation Confirmed **ServiceNow** has confirmed that attackers successfully exploited this flaw to query customer instance tables. While the specific data accessed remains undisclosed, **ServiceNow** instances commonly house a wealth of sensitive enterprise data, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details for corporate systems. ### The Allure of Support Tickets Support case information has become a prime target for threat actors due to its potential to contain valuable credentials, API tokens, internal documentation, and authentication secrets often shared during troubleshooting processes. **ServiceNow** has initiated support cases with all identified affected customers. If an organization has not received such communication, they are currently not believed to be impacted by this incident. ### Technical Details Emerge from the Community Although **ServiceNow** has not publicly released the technical specifics of the vulnerability, discussions among administrators on **Reddit** suggest the issue is tied to a REST endpoint located at `/api/now/related_list_edit/create`. Community members claim this endpoint was configured with `requires_authentication=false`, enabling unauthenticated requests to access instance data. The subsequent security update reportedly set `requires_authentication` to `true`. Indicators of compromise (IoCs) have also been shared, including API requests originating from the IP address `51.159.98.241`. Administrators are advised to scrutinize their logs for requests to the vulnerable endpoint. ### Affected Releases The security issue primarily affects customers running the **Australia** platform release or those on older releases who had implemented specific configuration changes. ### Recommendations for Administrators **ServiceNow** recommends that administrators review their logs for any requests to `/api/now/related_list_edit`, particularly those originating from `51.159.98.241`. Impacted organizations should also: * Review exposed tickets and records for sensitive information. * Rotate any credentials or tokens that may have been shared through support workflows. * Ensure API logging is enabled to enhance future detection capabilities. **ServiceNow** is still evaluating whether a **CVE** will be published for this issue.