Particle.news
Get it on Google Play
Download on the App Store
4 ARTICLES
·
1h ago

ServiceNow Fixes API Misconfiguration After Attackers Queried Customer Instances

The incident exposed instance data to unauthenticated queries, raising urgent questions about notification, remediation and possible CVE assignment.

ServiceNow
Image
Image
Image

Overview

  • ServiceNow applied a security update on June 5, 2026 that changed an API endpoint to require authentication after detecting anomalous activity.
  • The company confirmed investigators found evidence that attackers successfully queried instance tables for a subset of customers.
  • Community administrators pointed to the REST endpoint /api/now/related_list_edit/create and a reported setting of requires_authentication=false as the likely cause.
  • ServiceNow opened support cases and published a customer-only bulletin to notify impacted customers and the security community shared an indicator of compromise, notably traffic from IP 51.159.98.241.
  • Customers are advised to review logs for requests to the related_list_edit endpoint, rotate any credentials or tokens exposed in support tickets, verify the patch, and watch for ServiceNow’s decision on issuing a CVE.