ServiceNow has disclosed a security incident after threat actors exploited a flaw in an API endpoint that allowed unauthorized access to customer data stored within affected instances.
According to the company, attackers were able to abuse the vulnerability without authentication, enabling them to query information from customer environments. ServiceNow detected unusual activity linked to the issue and quietly notified impacted organizations through support cases and a customer advisory.
The company applied a security update to hosted customer instances on June 5, 2026, to address the problem. The fix modified the affected API endpoint so that only authenticated users can access it, preventing further unauthorized queries.
ServiceNow confirmed that the vulnerability was actively exploited and allowed attackers to access customer instance tables. While the company has not revealed exactly what information was viewed, ServiceNow environments often contain sensitive business data such as IT service tickets, employee information, internal documentation, asset inventories, workflow records, security incident reports, and system configuration details.
The issue primarily affects customers running the Australia platform release, as well as organizations using older releases that implemented specific configuration changes.
At this time, ServiceNow is still determining whether a CVE identifier will be assigned to the vulnerability. Organizations that may be impacted are advised to review logs for suspicious activity, inspect exposed records, rotate credentials or tokens shared through support workflows, and ensure API logging is enabled to assist with incident response efforts.
The incident highlights the risks associated with improperly secured APIs and underscores the importance of continuous monitoring, access controls, and rapid patch deployment to protect sensitive enterprise data.