ServiceNow Discloses Security Incident Exposing Customer Data

Software provider ServiceNow has applied a security update after detecting unusual activity linked to an unauthenticated access issue affecting some hosted customer instances.

According to reporting based on ServiceNow support bulletin KB3067321 (only accessible through ServiceNow’s customer support portal), the company applied the update to hosted customer instances on 5 June 2026. ServiceNow said the issue could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.

The company also observed evidence of successful queries of instance tables for a subset of customers and opened support cases with affected organisations.

ServiceNow has not publicly confirmed exactly what data was accessed.

ServiceNow described the issue as involving an API endpoint configuration that could allow unauthenticated access. ServiceNow has not publicly released full technical details, but administrators discussing the incident have linked the activity to the endpoint /api/now/related_list_edit/create.

Community reporting suggests the affected Scripted REST resource may have had requires_authentication set to false, allowing requests without a valid session, token, or credential check. ServiceNow said the 5 June update changed the API endpoint configuration to limit access to authenticated users only.

Because those endpoint-level details come from administrator reports and third-party analysis rather than a full public ServiceNow technical advisory, they should be treated as reported technical indicators rather than confirmed vendor root-cause details.

Some community posts on Reddit and X stated that a customer security team reported the issue before the patch, and that ServiceNow support initially treated the report as a non-urgent case. Some community reports also allege that internal ServiceNow records showed the issue had been tracked since 7 April 2026 and that a fix had originally been planned for a later platform release.

ServiceNow has not independently confirmed those claims in public materials. They are best described as allegations from community reporting unless further documentation becomes available.

ServiceNow says the issue affects customers on the Australia platform release, as well as customers on earlier releases who made certain configuration changes to their instances.

The company has not publicly listed which data fields or records were accessed. ServiceNow instances commonly store sensitive business information, including IT support tickets, employee records, internal documentation, asset inventories, workflow data, security incident reports, and system configuration details.

Administrators have reported that suspicious requests may appear in logs as activity from the Guest user, because the requests were unauthenticated. That detail has not been fully confirmed by ServiceNow but has been widely discussed in incident-response threads.

🚨 ServiceNow discloses June 5 security update tied to anomalous activity as KB3067321.https://t.co/axVMMmraGZ

ServiceNow says it applied a security update to hosted customer instances on June 5, 2026, addressing an issue that could allow an unauthenticated user, in certain… pic.twitter.com/qeVF6qeepn