ServiceNow told affected customers that attackers accessed data from some hosted customer instances through a flaw in an API endpoint. The company said it applied a security update on June 5, 2026 to require authentication for the affected endpoint, reportedly /api/now/related_list_edit/create, after detecting anomalous activity. ServiceNow has not yet assigned a CVE, and says the issue mainly affects customers on the Australia release or older releases with certain configuration changes.
Why it matters: Organizations using affected ServiceNow instances may have exposed sensitive ticket, employee, asset, and incident-response data, including credentials or tokens pasted into support workflows. This is urgent for affected customers: review logs and exposed records immediately, check for requests to the vulnerable endpoint, and rotate any secrets that may have been accessible.
Eduard Kovacs
2026.06.10
98% relevant
This is the same underlying event: ServiceNow patched the flaw in hosted instances on June 5, said exploitation allowed unauthenticated users in some cases to gain greater access and query instance tables, noted affected customers were notified, and added detail that Australia platform release users or customers with specific configuration changes were affected. It also reports the company is still evaluating a CVE assignment and that some reports claim ServiceNow had known of the issue since April 7.
info@thehackernews.com (The Hacker News)
2026.06.10
99% relevant
This article covers the same underlying event: exploitation of a ServiceNow flaw to gain unauthorized access to customer instances, reinforcing the incident details and affected scope already tracked.
Lawrence Abrams
2026.06.09
100% relevant
This article appears to be the first concrete reporting of the ServiceNow incident, including exploitation details, affected release scope, the likely endpoint, and operational guidance for defenders.
← Back to all stories