ServiceNow flaw let unknown actors query customer instances

ServiceNow applied a security update to hosted customer instances on June 5, 2026, to address a configuration issue that could allow an unauthenticated user to gain greater access to instances than intended. The update changes an endpoint so it requires authenticated access, limiting unauthenticated queries.

The company detected anomalous activity linked to the issue and reported evidence that unknown actors had made successful queries of instance tables against a subset of customers. Impacted customers were notified. ServiceNow has not assigned a CVE identifier to the issue.

The advisory notes the issue affects customers running the Australia platform release or customers that made specific configuration changes to instances on releases prior to Australia. The June 5 update restricts the affected endpoint to authenticated users.

Details about the flaw first appeared on Reddit. A user named “d3s7iny” posted that their security team reported the problem to ServiceNow and claimed the company had been aware internally since April 7, 2026. The post also asserted the issue was classified internally as non-urgent for roughly two months before the June update; those assertions are attributed to the Reddit commenter.

ServiceNow’s customer advisory states, “On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” and explains the update’s purpose as limiting unintended access by unauthenticated users. The advisory was published to channels available to customers.

ServiceNow operates hosted instances for enterprise workflow and IT service management, and platform releases are identified by names such as Australia. Platform-specific or configuration-specific issues can affect only portions of the customer base depending on release version and custom settings. At the time of the advisory, the company listed the update and customer notifications as the actions taken to address the exposure.