At a glance: A misconfigured API endpoint in ServiceNow allowed unauthenticated access to customer tables — remediation was delayed by more than six weeks after the bug bounty report.
ServiceNow has confirmed a security vulnerability that enabled unauthenticated users to access customer data via a misconfigured REST API endpoint. The security update came only on June 5, 2026, although a bug bounty report had already been submitted on April 22.
ServiceNow confirmed that a REST endpoint on its platform did not require authentication and thus enabled unauthenticated access to data in hosted customer instances. Attackers could run queries against customer tables and access information normally restricted to logged-in users. The company became aware of the issue through unusual activity and notified affected customers via its internal support portal.
The security update was applied to all hosted customer instances on June 5, 2026 and configures the endpoint in question so that it is now only accessible to authenticated users. ServiceNow provided no details about which customer data was specifically accessed. In typical ServiceNow instances, IT support tickets, employee data, internal documentation, and security-relevant configuration information are stored.
A confidential bug bounty submission describing a comparable issue had already been received by ServiceNow on April 22, 2026. Remediation took place only after more than six weeks — after activity against customer instances had been observed. The company has provided no explanation for the delayed response. In a later statement, ServiceNow assessed the observed access as likely caused by security researchers or bug bounty activities, not by criminal actors.
Source: www.it-daily.net · Published June 11, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.