ServiceNow notified affected enterprise customers on June 9 that attackers had exploited an unauthenticated access flaw in one of its API endpoints between June 2 and 3, 2026. The company applied a security update to hosted customer instances on June 5, restricting the API endpoint to authenticated users only. The support bulletin, hidden behind a customer login wall but shared widely in the security community, states that the vulnerability could allow an unauthenticated user, in certain circumstances, to “gain greater access to ServiceNow instances than intended.” ServiceNow confirmed that for a subset of customers, attackers successfully queried instance tables. What they accessed is not publicly confirmed. YourNewsClub identifies the gap between the confirmation of successful queries and the non-disclosure of affected data types as the operational uncertainty that most complicates enterprise incident response for affected customers.
The technical detail that community reporting isolated: the affected endpoint is reportedly the REST API at /api/now/related_list_edit/create, which appears to have been deployed with a Scripted REST Resource configuration setting of requires_authentication=false. Security teams reviewing logs are advised to look for requests to that endpoint, particularly from the IP address 51.159.98.241, in the June 2-3 window. ServiceNow has not yet assigned a CVE for the issue and was still evaluating whether to publish one at the time of writing. That absence matters for enterprise procurement and vendor management teams that use CVE status as a trigger for formal breach investigation procedures.
The disclosure timeline has drawn scrutiny. Community posts allege a customer security team reported the issue before the June 5 patch and ServiceNow initially treated it as non-urgent. Further allegations suggest internal records showed the issue tracked since April 7, 2026, with a fix planned for a later platform release rather than an emergency patch. ServiceNow has not publicly responded to those specific claims. YourNewsClub treats the allegation of a two-month tracking gap, if substantiated, as the more legally significant detail than the breach itself – SaaS providers who knew of a vulnerability and delayed remediation face a different liability posture than those who were blindsided.
ServiceNow runs approximately 8,200 enterprise customers globally. Its instances routinely store IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and corporate system configuration details. The breadth of data types typical in a ServiceNow deployment means the actual exposure for any given customer depends entirely on what they stored and how their instance was configured at the time of exploitation. YourNewsClub expects the formal regulatory notification process – under GDPR in the EU and state breach notification laws in the US – to generate additional disclosures from affected customers in the next 30 to 60 days that will provide the first concrete picture of which data categories attackers actually accessed.
The cleanest takeaway is this: a SaaS breach of this nature lands differently than an on-premises breach because the customer had no control over when the patch arrived. ServiceNow pushed the June 5 fix to hosted instances centrally, without customer action required. But customers who held data in exposed instances between June 2 and the patch have no independent way to determine what was accessed without the vendor’s cooperation and full log access. That asymmetry – customer risk, vendor visibility – is the defining structural problem in hosted enterprise software security.
ServiceNow’s market position makes the scope of this incident difficult to quantify from outside. The company serves roughly 8,200 enterprise customers, many of them large financial institutions, healthcare systems, and government contractors. An unauthenticated query against a ServiceNow instance at a regulated financial institution could expose data categories that trigger separate breach notification obligations under the Gramm-Leach-Bliley Act in the US or the DORA regulation in the EU. Your News Club will follow the regulatory notification filings from affected customers over the next 30 to 60 days as the primary mechanism for establishing which data categories were actually accessed in practice rather than which categories could theoretically have been accessible given typical instance configurations.