ServiceNow API Security Flaw Patched After Unauthorised Customer Instance Queries Reported: Organisations Advised to Review Logs

The American cloud computing company – ServiceNow had just recently confirmed a security incident in which attackers reportedly exploited an unauthenticated API flaw to query data directly from customer instances, and now, affected organisations have been advised to review their environments and check for any possible exposure.

Here’s more about the security incident.

ServiceNow Security Incident Reported Following Unauthenticated API Flaw?

Following an anomalous activity detected in early June, ServiceNow deployed a global security update on June 5, 2026, to restrict API access only to authenticated users.

As per what has been shared online, threat actors may have exploited a misconfigured or unauthenticated access flaw present within a specific API endpoint. Because of this, attackers were able to bypass authentication and retrieve restricted data and information from certain customer environments by directly querying customer instance tables.

As mentioned, ServiceNow has already deployed a security update to address the issue, and while the exact number of affected users is not known, the company is said to have been notifying impacted customers through the Now Support Portal and support cases. Organisations using ServiceNow are advised to check whether they have received any alert or reference to Bulletin KB3067321.

To add, organisations should also review their instance transaction logs and check for any anomalous activity, especially unauthorised requests to restricted tables. The IP address 51.159.98.241 has also been identified by the community as a confirmed source of malicious activity, and organisations may review their logs for any activity linked to it.

Stay tuned for more updates!