ON 10 June 2026 ServiceNow disclosed that an unauthenticated API flaw had allowed attackers to view customer data on certain cloud instances. The issue primarily affected systems hosted on the Australia platform and those with specific configuration changes in earlier releases.
The vulnerable endpoint is /api/now/related_list_edit/create, which could be called without authentication to create related list entries and consequently expose underlying data. No CVE identifier has been assigned yet and a CVSS score has not been published. The flaw permits unauthenticated POST requests that bypass normal access controls.
ServiceNow’s internal investigation noted suspicious activity beginning in early June, prompting the company to detect anomalous behaviour and issue a patch on 5 June. The patch restricts access to the endpoint to authorised users only. Affected customers have been notified if their logs showed signs of successful exploitation.
Threat actors have not been publicly identified and no specific malware or campaign has been linked to the abuse. The absence of a CVE reflects the ongoing decision‑making process regarding public disclosure of the vulnerability.
Defenders should review instance logs for unexpected calls to the related_list_edit endpoint and verify that authentication requirements are now enforced. Applying the latest patch released on 5 June is essential, and administrators should consider limiting API access to trusted IP ranges where feasible. Monitoring for unusual data export patterns or spikes in related list creation can help catch any lingering abuse.
Additionally, organisations are advised to enforce multi‑factor authentication for all administrative accounts and to conduct a thorough data exposure assessment for any instance that showed indicators of compromise. If any signs of unauthorised access are found, contacting ServiceNow support promptly is recommended to obtain further guidance and assistance.