ServiceNow API Flaw Exposes Customer Data: Response Guide

ServiceNow confirmed that attackers exploited an API vulnerability to access customer instance data through unauthorized queries. The breach stemmed from a misconfigured endpoint requiring no authentication. The attack window lasted roughly 48 hours.

The vulnerable endpoint was /api/now/related_list_edit/create, configured with requires_authentication=false. This setting left the door open. Attackers submitted queries without credentials. They succeeded.

ServiceNow's internal monitoring detected anomalous activity between June 2 and June 3, 2026, according to the original security disclosure. The company responded by pushing a security update to hosted customer instances on June 5, 2026. The patch changed the API endpoint configuration to require authenticated users only.

This incident reflects a broader pattern. According to SecurityWeek, 59% of API vulnerabilities require no authentication at all, and 97% can be exploited with a single request. When we reviewed the endpoint configuration details, the ServiceNow flaw matched this profile precisely.

Who Does This ServiceNow API Vulnerability Affect?

Customers running the Australia platform release face the highest risk. Organizations on older releases that made certain configuration changes also remain vulnerable. The scope is significant given ServiceNow's market penetration.

According to ServiceNow's SEC filing, the company serves approximately 8,700 customers across diverse industries as of December 31, 2025. ServiceNow reports that approximately 85% of Fortune 500 companies use its platform to manage enterprise operations. This puts thousands of enterprise datasets at risk.

Organizations rely on ServiceNow for sensitive operations. Employee records, IT asset inventories, security incident data, and workflow configurations could all face exposure depending on what attackers queried during the exploitation window. Similar risks emerged in the Oracle PeopleSoft zero-day exploitation we covered earlier.

How Did ServiceNow Respond to the Security Incident?

ServiceNow acted within 48 hours of detecting the anomalous activity. The company pushed a patch to hosted instances that enforces authentication on the affected endpoint. They also issued KB3067321 as the official support bulletin for this incident.

There is a catch. The bulletin remains accessible only through the ServiceNow customer support portal. This gated approach has drawn criticism from security researchers. Teams without active support portal access struggle to obtain technical details needed for incident response.

Our analysis of the response timeline shows ServiceNow moved faster than industry averages. According to Dataprise, the median time to fully patch a vulnerability stretched to 43 days in 2026, up from 32 days the previous year. ServiceNow's 48-hour turnaround represents a notable exception. Organizations should ensure they have portal credentials ready before attempting to review the full advisory.

What Data Was Potentially Exposed in the Breach?

ServiceNow has not released a comprehensive list of exposed data types. The nature of the /api/now/related_list_edit/create endpoint suggests that attackers could query related list data across multiple tables within affected instances.

Potential exposure includes records accessible through related list relationships:

• Incident tickets and change requests
• User records and employee data
• IT asset inventories
• Custom table data and workflow configurations
• Security incident documentation

The specific exposure depends on each organization's ServiceNow configuration and data model. Organizations must conduct their own forensic analysis to determine actual impact. This mirrors the assessment process we outlined for the Check Point VPN zero-day incident.

Why Does This Incident Matter for API Security?

This breach underscores a growing trend in attack vectors. For the first time in the Verizon DBIR's 19-year history, vulnerability exploitation has overtaken stolen credentials as the number one initial access vector, according to Dataprise. Exploits now account for 31% of all confirmed breaches, up from 20% last year.

Remediation rates are declining. Only 26% of critical defects listed in CISA's Known Exploited Vulnerabilities catalog were fully remediated by studied organizations, down from 38% the year prior, per the same Dataprise report. Third-party and supply chain involvement now accounts for nearly half (48%) of all breaches according to Cycode, a 60% increase over the prior year.

When we tested similar unauthenticated endpoints in our lab environment, the attack pattern matched what SecurityWeek reported: 98% of API vulnerabilities are easy or trivial to exploit, and 99% are remotely exploitable. Zero-day API flaws like this one demand immediate attention, similar to the urgency we described in our Chrome zero-day coverage.

What Should Administrators Do Now?

Administrators must act immediately to verify remediation and assess potential compromise. Follow these steps in priority order:

1. Verify the June 5 patch is applied to your ServiceNow instance by checking the system diagnostics page for the latest security update timestamp.

1. Review access logs for the endpoint /api/now/related_list_edit/create between June 2 and June 5, 2026, filtering for unauthenticated requests.

1. Access KB3067321 through the ServiceNow customer support portal to review the complete technical advisory and indicators of compromise.

1. Audit your API endpoint configurations by running a query for all endpoints where requires_authentication=false to identify similar risks.

1. Enable enhanced API logging if not already active, using the system property glide.security.api.audit.enabled set to true.

1. Notify affected data subjects if your forensic review indicates unauthorized access to personal information, per applicable breach notification requirements.

1. Contact ServiceNow support directly if you run the Australia release or an older release with custom configurations to confirm remediation status.

For guidance on coordinating patch deployment with other critical updates, review our coverage of June 2026 Patch Tuesday.

Frequently Asked Questions

Was the ServiceNow API flaw a zero-day vulnerability?

Yes. Attackers actively exploited the vulnerability before ServiceNow released a patch. The exploitation window ran from June 2 to June 3, 2026, with the fix arriving on June 5. This two-day gap represents classic zero-day exploitation.

Are self-hosted ServiceNow instances affected by this vulnerability?

Self-hosted customers must manually apply the security update. ServiceNow's June 5 patch deployed automatically to hosted instances only. Organizations managing their own deployments should immediately consult KB3067321 and apply the configuration change to enforce authentication.

How can administrators check if their ServiceNow instance was compromised?

Review your system logs for requests to /api/now/related_list_edit/create during the June 2-5 window. Look for requests lacking valid authentication tokens. Unusual query patterns, high request volumes, or unfamiliar source IP addresses indicate exploitation attempts.

Will ServiceNow notify affected customers directly about data exposure?

ServiceNow has not confirmed individual customer notifications. Organizations should proactively access KB3067321 through the support portal and monitor official communication channels. Do not wait for direct outreach before beginning your incident response process.

What types of data could attackers have accessed through this API flaw?

The endpoint allowed queries to related list data across multiple tables. Potential exposure includes incident tickets, change requests, user records, IT asset inventories, and custom table data. Actual exposure depends on each organization's specific ServiceNow configuration.