A security breach at cloud computing platform ServiceNow may have allowed attackers to exfiltrate customer data by exploiting an unsecured API endpoint.
Santa Clara, California-based ServiceNow reported annual revenue of $13.28 billion in 2025 and employs over 23,000 people. Its partners include GPU manufacturer Nvidia and AI giants Anthropic and OpenAI. Thousands of enterprise customers use ServiceNow workflows to connect various systems and automate repetitive tasks.
In its initial assessment, ServiceNow attributed the unauthorized access to a security flaw that could have enabled an unauthenticated attacker to gain greater access and query customer data.
ServiceNow security breach affected unsecured API endpoint
ServiceNow learned of the incident after detecting anomalous activity on customer instances. Social media users claimed that the security breach affected the /api/now/related_list_edit/create REST API endpoint.
“We have detected anomalous activity relating to the security issue. For a subset of customers, we have observed evidence of successful queries of instance tables,” the company stated.
ServiceNow says the security breach affects customers running specific instances, such as the Australian platform release and older versions, and has made certain configuration changes.
However, the computing giant has not disclosed the nature of information potentially exposed, though it likely includes customer support tickets, employee records, and configuration details.
This information may contain sensitive details such as authentication credentials, access tokens, and configuration data, which attackers could exploit to gain deeper access to the system or pivot to other connected systems. Subsequently, impacted users should rotate their authentication credentials and access tokens to terminate the threat actor’s access.
So far, the cloud computing platform has not disclosed the number of affected customers or how long the API was exposed. Nevertheless, it has successfully fixed the security vulnerability by requiring authentication to query customer instance tables.
“On June 5, 2026, ServiceNow applied a security update to hosted customer instances. The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended,” the company said.
The cloud computing giant has also opened support cases for affected users to help them navigate the security breach. Enterprise customers who have not received a ServiceNow-initiated support case can consider their organizations unaffected.
“Everyone’s calling this an unauthenticated API vulnerability,” said Dan Moore, Sr. Director CIAM Strategy at FusionAuth. “The attacker bypassed the authentication because there wasn’t any. The endpoint, which lets you create related lists to show up on ServiceNow forms, apparently had its authentication check default to off. It’s unclear how long this has been exposed.”
“A one-line smoke test ‘hit the endpoint with no credentials, expect a rejection’ catches this. Nobody wrote the test, because the platform treated ‘no auth’ as valid configuration for a sensitive endpoint. When authentication is something you toggle per endpoint instead of a default the platform enforces, an exposed endpoint isn’t a bug the system rejects. It’s a setting someone forgot to change. If you manage an application with an API, does an endpoint with no auth fail your build, or does it just ship?” added Moore.
ServiceNow links security breach to security researchers
The cloud computing platform has attributed the security breach to bounty hunters or customer activity.
“Based on our investigation to date, we have reason to believe the observed activity can be attributed to security researchers or customers conducting their own research.”
While the investigation is still ongoing, ServiceNow has also confirmed that the security researchers did not exfiltrate or retain customer data, as they only queried the fields to validate their findings. They also disclosed the IP addresses they used to query the unsecured API endpoint.
Meanwhile, ServiceNow has not disclosed the identities of the researchers but says it had received similar bug bounty submissions on April 22, 2026. Some ServiceNow customers also received similar bug bounty submissions from the same researchers related to the same security vulnerability.
Additionally, the technology company is in contact with security researchers, actively monitoring the situation, and will provide updates as more information becomes available.
“The attribution question is less clear. ServiceNow has stated that researchers submitted the vulnerability through its bug bounty program in April, and that additional submissions were made to some ServiceNow customer bug bounty programs in June,” said Cory Michal, CISO at AppOmni. “That said, at least one system publicly associated with exploitation of this vulnerability also appears to have targeted tenants of other SaaS platforms with similar unauthenticated-access weaknesses. So while researcher activity clearly occurred, I would be cautious about saying all observed activity was benign research until the investigation is complete.”
