ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened

In a support bulletin published on its customer support portal, the company said it had addressed an issue, “that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”

A fix was applied on June 5 2026, the bulletin said, which changed the API endpoint configuration to limit access just to authenticated users.

Affecting Australians

The company said that the attackers exploited the vulnerability to query customer instance tables but did not say what type of data they were able to access.

These instances usually store sensitive enterprise information such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.

However, that doesn’t mean this kind of information was accessed, nor that every exposed customer lost all of this data.

Further in the bulletin, the company said the issue primarily affected customers running the Australia platform release, as well as those on older releases with certain configuration changes.

"The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia," ServiceNow warned.

The company says it has notified affected customers by opening support cases - terefore, if you are a ServiceNow customer without an open support case, consider your data safe.

Other administrators should take a look at their logs for requests to /api/now/related_list_edit, particularly from the IP address 51.159.98.241. They should also review exposed tickets and records for sensitive information, update passwords and tokens shared through support workflows, and make sure API logging is turned on.

Via BleepingComputer