- ServiceNow fixes API flaws that let unauthorized attackers query some customer instance tables
- The issue primarily affects customers on the Australia release or older versions with custom configurations
- Administrators are encouraged to review logs for /api/now/related_list_edit requests, especially from 51.159.98.241
ServiceNow has told some of its customers that cybercriminals were able to exploit a flaw in an API endpoint in an attempt to gain access to their data.
In a support bulletin posted on its customer support portal, the company said it had addressed an issue “that could allow an unauthorized user, under certain circumstances, to gain greater access to ServiceNow instances than intended.”
A fix was applied on June 5, 2026, the bulletin said, which changed the API endpoint configuration to restrict access to only authenticated users.
Affects Australians
The company said the attackers exploited the vulnerability to query customer instance tables, but did not say what type of data they were able to access.
These instances usually store sensitive company information such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details of the company’s systems and services.
However, this does not mean that this type of information was accessed, nor that every exposed customer lost all of this data.
Further in the bulletin, the company said the issue primarily affected customers running the Australia platform release, as well as those on older releases with certain configuration changes.
“The security issue affects customers who are on the Australian platform release or have made certain configuration changes to instances on pre-Australia releases,” ServiceNow warned.
The company says it has notified affected customers by opening support cases — so if you’re a ServiceNow customer without an open support case, consider your data safe.
Other administrators should take a look at their logs for requests to /api/now/related_list_edit, especially from the IP address 51.159.98.241. They should also review exposed tickets and records for sensitive information, update passwords and tokens shared through support workflows, and ensure API logging is turned on.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
