ServiceNow said unknown threat actors exploited a security flaw to gain deeper unauthorized access to some customer instances, with successful queries observed against a subset of customers. The company said it applied a security update on June 5, 2026, after detecting anomalous activity tied to the issue.
KEY FACTS
- Impact Successful queries were seen against instance tables for a subset of customers.
- Update A security update was deployed on June 5, 2026.
- Affected systems The issue applied to customers on the Australia release and some earlier releases with certain configuration changes.
- Timeline Malicious activity is said to have started on June 2, 2026.
- Disclosure The flaw has no CVE identifier yet.
A vendor advisory said the update changed an endpoint configuration so access is limited to authenticated users. The security issue could, in certain circumstances, let an unauthenticated user gain greater access to ServiceNow instances than intended.
The report said impacted customers were notified. It also said the issue affected customers on the Australia platform release or instances on earlier releases that had certain configuration changes.
ServiceNow later acknowledged that a subset of customer instances were queried successfully as part of the activity. The company also said submissions to its bug bounty program on June 3 and 4 were similar to a confidential submission sent on April 22.
One Reddit post claimed the security team had reported the flaw and that the company had known about it internally since April 7, 2026, though that claim was not independently verified in the article.
WHY IT MATTERS
The incident shows how a configuration or endpoint issue can expose customer data even without a public CVE. For users of the platform, the case underscores the importance of vendor patches and prompt review of security notices.