ServiceNow has warned that unknown threat actors exploited a flaw to gain deeper, unauthorized access to some susceptible customer instances.
What ServiceNow says happened
In an advisory for customers, the company said: “On June 5, 2026, ServiceNow applied a security update to hosted customer instances. The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”
The update changes an endpoint configuration so this access is limited to authenticated users. The issue does not yet have a CVE identifier. Initial discussion of the flaw first surfaced on Reddit.
What’s known about impact
- ServiceNow detected anomalous activity related to the issue.
- It observed evidence of successful queries of instance tables against a “subset of customers.”
- Impacted customers have been notified.
Who is affected
According to the company, “The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia.”
What others are claiming
A Reddit user named “d3s7iny” claimed their security team reported the vulnerability to ServiceNow and that the company had been aware of it internally since April 7, 2026. For roughly two months, it was allegedly treated as a non-urgent issue with plans to address it in a future update.
Where this stands
The Hacker News said it has contacted ServiceNow for comment and will update its report if it hears back. This story is still developing.
Reference: View article