- ServiceNow fixes an API flaw that allowed unauthenticated attackers to query some client instance tables
- The issue primarily affects customers on the Australia version or older versions with custom settings
- Administrators are encouraged to review the logs for /api/now/ related_list_edit requests, especially 51.159.98.241
ServiceNow has told some of its customers that cybercriminals were able to abuse a flaw in an API endpoint in an attempt to access their data.
In a support bulletin posted on its customer support portal, the company said it had fixed an issue “that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”
A fix was applied on June 5, 2026, according to the bulletin, which changed the API endpoint configuration to limit access to only authenticated users.
Affecting Australians
The company said the attackers exploited the vulnerability to query tables of customer instances, but did not say what type of data they were able to access.
These instances typically store sensitive business information, such as IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.
However, that does not mean that this type of information was accessed, nor that each exposed customer lost all of this data.
Later in the bulletin, the company said the issue primarily affected customers running the Australian version of the platform, as well as those with older versions with certain configuration changes.
“The security issue concerns customers who are on the Australian version of the platform or who made certain configuration changes to instances in pre-Australian versions,” ServiceNow warned.
The company says it has notified affected customers by opening support cases; Therefore, if you are a ServiceNow customer without an open support case, consider your data safe.
Other administrators should check their logs for requests to /api/now/related_list_edit, particularly from IP address 51.159.98.241. They should also review exposed tickets and logs for sensitive information, update passwords and tokens shared through support workflows, and ensure API logging is enabled.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
