- ServiceNow fixes an API flaw that allowed unauthenticated attackers to query certain client instance tables
- The issue mainly affected customers of the Australian version or earlier versions with custom configurations.
- Administrators are advised to review the logs for /api/now/Related_list_edit requests, particularly those originating from 51.159.98.241.
ServiceNow told some of its customers that cybercriminals were able to exploit a flaw in an API endpoint to try to access their data.
In a support bulletin posted to its customer support portal, the company said it had fixed an issue “that could allow an unauthenticated user, in certain circumstances, to gain broader than intended access to ServiceNow instances.”
A patch was applied on June 5, 2026, the bulletin said, which changed the API endpoint configuration to limit access to only authenticated users.
Affecting Australians
The company said the attackers exploited the vulnerability to query clients’ instance tables, but did not specify what type of data they could access.
These instances typically store sensitive company information, such as IT support tickets, employee files, internal documentation, asset inventories, security incident reports, workflow data, and configuration details of company systems and services.
However, this does not mean that this type of information was accessed, nor that each exposed customer lost all of this data.
Further in the bulletin, the company said the issue primarily affected customers running the Australian version of the platform, as well as those using older versions with some configuration changes.
“The security issue affects customers who are using the Australian version of the platform or who have made certain configuration changes to instances on versions prior to Australia,” ServiceNow warned.
The company says it has notified affected customers by opening support cases. Therefore, if you are a ServiceNow customer without an open support case, consider your data safe.
Other administrators should check their logs for requests to /api/now/rated_list_edit, especially from the IP address 51.159.98.241. They should also review exposed tickets and records for sensitive information, update passwords and tokens shared through support workflows, and ensure API logging is enabled.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
