Software provider ServiceNow has applied a security update after detecting unusual activity linked to an unauthenticated access issue affecting some hosted customer instances.
According to reporting based on ServiceNow support bulletin KB3067321 (only accessible through ServiceNow’s customer support portal), the company applied the update to hosted customer instances on 5 June 2026. ServiceNow said the issue could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.
The company also observed evidence of successful queries of instance tables for a subset of customers and opened support cases with affected organisations.
ServiceNow has not publicly confirmed exactly what data was accessed.
Inside the Loophole
ServiceNow described the issue as involving an API endpoint configuration that could allow unauthenticated access. ServiceNow has not publicly released full technical details, but administrators discussing the incident have linked the activity to the endpoint /api/now/related_list_edit/create.
Community reporting suggests the affected Scripted REST resource may have had requires_authentication set to false, allowing requests without a valid session, token, or credential check. ServiceNow said the 5 June update changed the API endpoint configuration to limit access to authenticated users only.
Because those endpoint-level details come from administrator reports and third-party analysis rather than a full public ServiceNow technical advisory, they should be treated as reported technical indicators rather than confirmed vendor root-cause details.
The Timeline Dispute
Some community posts on Reddit and X stated that a customer security team reported the issue before the patch, and that ServiceNow support initially treated the report as a non-urgent case. Some community reports also allege that internal ServiceNow records showed the issue had been tracked since 7 April 2026 and that a fix had originally been planned for a later platform release.
ServiceNow has not independently confirmed those claims in public materials. They are best described as allegations from community reporting unless further documentation becomes available.
Systems and Data at Risk
ServiceNow says the issue affects customers on the Australia platform release, as well as customers on earlier releases who made certain configuration changes to their instances.
The company has not publicly listed which data fields or records were accessed. ServiceNow instances commonly store sensitive business information, including IT support tickets, employee records, internal documentation, asset inventories, workflow data, security incident reports, and system configuration details.
Administrators have reported that suspicious requests may appear in logs as activity from the Guest user, because the requests were unauthenticated. That detail has not been fully confirmed by ServiceNow but has been widely discussed in incident-response threads.
Action Plan for IT Teams
Affected customers are being notified directly through ServiceNow support cases. According to the advisory, customers who did not receive a support case are not believed to be affected, but administrators may still want to review logs as a precaution.
Security teams should review ServiceNow transaction and node logs for requests to /api/now/related_list_edit, including activity around 2 to 3 June 2026, according to third-party analysis, and especially from the IP address 51.159.98.241.
Impacted organisations should review exposed tickets, records, and attachments for sensitive information. Any passwords, API tokens, credentials, or secrets stored in affected records or support workflows should be rotated. Administrators should also review Scripted REST API resources to confirm that authentication and access controls are configured correctly.
As of the latest public reporting reviewed here, ServiceNow was still evaluating whether to publish a CVE.
