ServiceNow Security Incident June 2026: API Flaw Exposes Customer Data

ServiceNow confirmed a security incident where a misconfigured API allowed unauthorized access to some customer instances. Here’s what happened, when it was fixed, and what organizations should do now.

ServiceNow has disclosed a security incident involving unauthorized access to certain customer instances. The issue stemmed from a misconfigured REST API endpoint that allowed unauthenticated users to query data tables in affected environments.

While ServiceNow applied a fix on June 5, 2026, and notified impacted customers, the incident has raised concerns due to the age of the vulnerability and reports from customers that the issue was flagged internally as early as April.

This article explains what happened, the technical details, the timeline, and the steps organizations using ServiceNow should take.

What Happened: The ServiceNow API Flaw

The incident involved a Scripted REST API endpoint (/api/now/related_list_edit/create) that was configured with requires_authentication = false in some customer instances.

This configuration allowed unauthenticated users to access and query data tables within affected ServiceNow instances. In certain cases, attackers successfully retrieved data from these tables.

ServiceNow confirmed that anomalous activity was detected from the IP address 51.159.98.241. The company stated that it observed evidence of successful queries against instance tables in a subset of customer environments.

Importantly, this was not a breach of ServiceNow’s core infrastructure. Instead, it was a platform-level configuration issue that exposed some customer instances to unauthorized data access.

Timeline of the ServiceNow Security Incident

ServiceNow Security Incident Timeline (2026)

Before April 2026 – Vulnerability Existed

• A misconfigured API endpoint existed in certain customer configurations.
• The issue had reportedly been present for years in some instances.

April 7, 2026 – Internal Awareness

• According to some customer reports, ServiceNow may have already been aware of related security concerns.
• Investigations and internal reviews reportedly began around this period.

Early June 2026 – Exploitation Detected

• Attackers successfully exploited the misconfigured endpoint.
• Unauthorized queries were made against data tables in affected customer instances.

June 5, 2026 – Security Update Applied

• ServiceNow deployed a security fix to affected hosted customer environments.
• The vulnerable endpoint configuration was corrected to prevent further unauthorized access.

June 9–10, 2026 – Public Disclosure

• ServiceNow publicly disclosed the incident.
• Impacted customers received notifications and support cases.
• Additional technical details and remediation guidance were shared.

The relatively long window between when the flaw existed and when it was patched has become a point of discussion among customers and security researchers.

Impact on Customers

ServiceNow has stated that only a subset of customers were affected — specifically those on certain platform releases (including the Australia release) or those who had made specific configuration changes on older releases.

For impacted organizations, the main risk was unauthorized access to data stored in ServiceNow tables. This could include sensitive information such as:

• IT service management records
• Customer data
• Internal workflows and processes
• Potentially other business-critical information

ServiceNow has been notifying affected customers individually through support cases when evidence of successful data queries was found. Customers who did not receive such a notification were told that no successful exploitation was observed on their instances.

ServiceNow’s Official Response

According to ServiceNow’s advisory:

• A security update was applied on June 5, 2026, to hosted customer instances.
• The update changed the endpoint configuration to require authentication.
• The company confirmed it detected anomalous activity and evidence of successful table queries in some cases.
• Affected customers were notified directly.
• ServiceNow is still evaluating whether to publish a CVE.

The company has also advised customers to review their own instances for any custom Scripted REST APIs that might have authentication disabled.

What Organizations Should Do Now

If your organization uses ServiceNow, security teams should take the following steps:

1. Check for notifications — Look for any support cases from ServiceNow regarding this issue.
2. Review logs — Search transaction logs for activity from IP 51.159.98.241 and requests to /api/now/related_list_edit/create.
3. Verify the patch — Confirm that the June 5 security update has been applied to your instance.
4. Audit custom APIs — Check all Scripted REST Resources and ensure requires_authentication is enabled where appropriate.
5. Monitor for anomalies — Continue watching for unusual data access patterns in the coming weeks.
6. Assess data exposure — If your instance was affected, evaluate what data may have been accessible.

Broader Implications

This incident highlights several important issues in enterprise SaaS security:

• Configuration risks in low-code platforms: Even widely used enterprise platforms can contain dangerous misconfigurations if not properly secured.
• Response time concerns: Customer reports suggesting the issue was known internally since early April have led to questions about how quickly such vulnerabilities are addressed.
• Shared responsibility: While ServiceNow owns the platform, customers are also responsible for reviewing configurations and monitoring their instances.
• Supply chain risk: Many organizations rely heavily on ServiceNow for critical operations. Incidents like this underscore the importance of continuous monitoring and incident response planning for key SaaS vendors.

The stock reaction (a roughly 6.3% drop following the news) also reflects investor sensitivity to security incidents involving major enterprise software providers.

FAQs About the ServiceNow Security Incident

Was this a full data breach of ServiceNow? No. It was a platform configuration issue that allowed unauthorized access to data in some customer instances, not a compromise of ServiceNow’s core systems.

When was the fix released? ServiceNow applied the security update on June 5, 2026.

How do I know if my instance was affected? Check for notifications from ServiceNow. If you received a case about successful queries, your instance was impacted. If not, ServiceNow did not observe successful exploitation on your instance.

Should I be concerned about data exposure? If your organization received a notification, you should investigate what data may have been accessible through the vulnerable endpoint.

Will there be a CVE? ServiceNow has stated it is still evaluating whether to publish a CVE.

What should I do right now? Review your logs for the known malicious IP, verify the patch status, and audit any custom REST APIs with authentication disabled.

Final Thoughts

The ServiceNow security incident serves as a reminder that even mature enterprise platforms can contain serious configuration vulnerabilities. While ServiceNow moved to patch the issue in early June, the fact that the flaw existed for years in certain setups — and customer reports of earlier internal awareness — has understandably raised concerns.

Organizations that rely on ServiceNow should treat this as a serious incident, review their instances thoroughly, and strengthen monitoring around key SaaS platforms.

As more details emerge, particularly around the scope of data accessed and ServiceNow’s long-term response, this story is likely to continue developing.

Has your organization received any notification from ServiceNow about this issue? Share your experience in the comments (without sharing sensitive details).