To the point: A publicly accessible ServiceNow API endpoint required no authentication under certain conditions, allowing unauthorized access to sensitive enterprise data.
ServiceNow has fixed a security vulnerability that allowed access to customer data via an unauthenticated API endpoint. The vulnerability affected specific release versions and was reported in April through the bug bounty program.
ServiceNow is informing customers of a vulnerability that enabled data access via an unauthenticated API endpoint on affected instances. The security update (KB3067321) was released on June 5 for hosted customers, while guidance (KB3067372) was issued for self-hosted deployments. The vulnerability was reported in April through ServiceNow’s bug bounty program.
Customer reports online reference the affected endpoint “/api/now/related_list_edit/create” and configuration with “requires_authentication = false”. According to customer statements, the Australia release of ServiceNow is affected. However, there is doubt among users whether the vulnerability is limited to this single release: the “requires_authentication” flag is a configuration parameter, not a release-specific code change, as discussions show. Administrators are urged to review their Scripted REST API tables and audit all resources with authentication not enabled, particularly those that have not been changed since before 2022.
ServiceNow stores IT service requests, employee data, and internal security information. Unauthorized access to customer instances therefore poses significant risks to enterprises. ServiceNow confirms the suspicious activity observed so far as originating from security researchers. However, Cory Michal, CISO at AppOmni, cautions: While researcher activity has been clearly documented, it should not be assumed that all observed activity is harmless before the investigation is concluded – at least one system publicly linked to exploiting this vulnerability has targeted tenants of other SaaS platforms with similar unauthenticated access flaws.
ServiceNow advises customers to investigate their systems beyond applying the patch to determine whether unauthorized access has occurred. The company’s investigation is ongoing.
Source: www.csoonline.com · Published June 11, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.