ServiceNow Data Breach 2026: Unauthenticated API Exposure Security Analysis and Remediation

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
In 2026, ServiceNow disclosed a security incident that affected customer instances across multiple industries. The exposure was not a traditional software vulnerability with a CVE number and a patch. It was a configuration problem at scale: ServiceNow's platform ships with API endpoints that, without proper Access Control List configuration, accept unauthenticated external requests and return internal record data.
This distinction matters for how you respond. Patching is not the fix. Auditing and hardening your instance configuration is. Security teams that treat this like a software update will miss the actual exposure window.
What the Exposure Actually Was
ServiceNow is a platform where customers provision their own instances and configure access controls for their specific data. The platform provides a Table API that allows programmatic access to any ServiceNow table. By design, this API is powerful: it can read incident records, user profiles, CMDB entries, change requests, and custom application data.
The exposure occurred when instances did not restrict this API to authenticated users. ServiceNow's default configuration settings have evolved over time, and older instances or those deployed without explicit security hardening guidance left the Table API accessible to any HTTP request that could reach the instance URL.
Threat actors did not need to exploit a vulnerability. They sent standard HTTP GET requests to ServiceNow Table API paths. Instances that had not locked down API authentication returned record data in the response. This is the pattern that security researchers mean when they describe misconfiguration as the leading cause of cloud data exposure: the platform worked exactly as configured, and the configuration was wrong.
Which Tables and Data Were at Risk
The Table API provides access to every table in a ServiceNow instance. The severity of exposure depended entirely on how an organization used ServiceNow and which tables they had left accessible.
High-risk tables in documented exposure cases included:
The incident table, which in most organizations contains ticket titles and descriptions that reference specific systems, user names, error messages, and internal process details. A dump of incident records is effectively an operational map of your IT environment.
The sys_user table, which contains user accounts, email addresses, roles, department assignments, and manager relationships. This data supports phishing and social engineering directly.
The cmdb_ci tables, which describe your infrastructure components: servers, network devices, cloud assets, software versions. For attackers planning lateral movement or prioritizing targets, CMDB data reduces reconnaissance time significantly.
Customer-built custom tables are also in scope. If your organization built a ServiceNow application that stores contracts, vendor data, HR records, or financial information, those tables were equally accessible if ACLs were not configured correctly.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
How to Audit Your ServiceNow Instance
ServiceNow provides the Instance Security Center (ISC) as a built-in audit tool. Access it from the Application Navigator by searching for Security Center. Run a full scan. Review every finding marked as Critical or High priority before proceeding to manual checks.
Check Table API authentication settings. Navigate to System Web Services > REST > REST API Explorer. For each API definition, confirm that Requires Authentication is enabled. Any API definition without this flag set can accept unauthenticated requests.
Review ACLs on sensitive tables. Navigate to System Security > Access Control (ACL). Filter for table-level ACLs on your highest-risk tables (sys_user, incident, cmdb_ci, custom application tables). Verify that read operations require a valid role.
Check public portal widgets. If you run a ServiceNow Service Portal or Employee Service Center, review each widget that displays data from backend tables. Widgets that call server-side scripts to retrieve records must validate the requesting user's session before returning data.
Audit transaction logs for historical external access. In System Logs > Transaction Logs, filter for the time window prior to ServiceNow's disclosure notification. Look for GET requests to /api/now/table/ paths from IP addresses outside your corporate ranges with HTTP 200 responses. Any successful external reads are evidence of actual data exposure.
Immediate Remediation Checklist
Work through these steps in order of impact.
1. Enable authentication on all Table API endpoints. This is the highest-priority fix. Any unauthenticated external access to your Table API must be blocked.
2. Apply role-based ACLs to sensitive tables. Even authenticated users should not have read access to tables outside their job function. Lock down sys_user, cmdb tables, and custom application tables to the minimum required roles.
3. Disable unused API endpoints. If your organization does not use specific ServiceNow REST APIs programmatically, disable them. Every exposed endpoint is an attack surface that does not need to exist.
4. Rotate exposed credentials. If incident ticket descriptions contained passwords, API keys, or tokens (a common problem in helpdesk environments), rotate all credentials that may have appeared in accessible tickets during the exposure window.
5. Enable MID Server audit logging. Configure logging to capture all external API requests going forward so that future incidents can be scoped quickly.
6. Notify affected users. If your sys_user table records were potentially accessed by external parties, affected users should be notified and their passwords reset. In jurisdictions covered by GDPR or CCPA, this may also trigger mandatory breach notification timelines.
Why This Pattern Keeps Appearing
The ServiceNow incident is part of a consistent pattern in enterprise SaaS security. The platform works correctly. The configuration defaults are too permissive. Customers deploy quickly under time pressure and do not complete the security hardening checklist. The exposure sits dormant until someone scans for it.
This pattern has played out with Salesforce communities, Jira Service Management instances, Confluence spaces, and now ServiceNow. The common thread is that IT platforms designed for collaboration and access provision features that administrators must explicitly lock down rather than features that are secure by default and require explicit enablement.
The organizational fix is not just the technical remediation above. It is adding ServiceNow ACL review to your change management process so that new tables and new portal deployments trigger a security review before they go live. It is running the Instance Security Center scan on a quarterly schedule, not only when incidents are disclosed. And it is establishing a clear ownership model for ServiceNow security configuration so that no instance upgrade or new module deployment proceeds without a security sign-off.
The bottom line
The ServiceNow data breach was a configuration exposure, not a platform vulnerability. That means your exposure depends entirely on how your instance is configured, and the fix requires auditing your own ACLs rather than waiting for a vendor patch. Run the Instance Security Center scan today, review Table API authentication settings, and check your transaction logs for evidence of historical external access. If you find exposure, treat it as a confirmed data breach: scope affected records, rotate any credentials that appeared in accessible tickets, notify affected users, and evaluate your breach notification obligations under GDPR, CCPA, or applicable industry regulations.
Frequently asked questions
What happened in the ServiceNow data breach?
ServiceNow disclosed a security incident in which misconfigured public-facing API endpoints on customer instances allowed unauthenticated external requests to read data from internal tables. The issue was not a vulnerability in ServiceNow's platform code itself but rather a configuration exposure: ServiceNow instances are deployed with default API access controls that customers are responsible for restricting. Instances that had not applied the recommended security hardening guidelines left table API endpoints accessible without authentication credentials. Threat actors discovered and enumerated these endpoints to extract records from tables including incident tickets, user profiles, and configuration items.
Which ServiceNow API endpoints were exposed?
The exposure centered on three categories of ServiceNow API endpoints. The Table API (/api/now/table/{tableName}) is the primary REST interface for reading and writing ServiceNow records. Without explicit access controls, it allows unauthenticated GET requests to retrieve table records. The Scripted REST APIs that customers build on top of ServiceNow may also expose data if the access control settings were not reviewed. ServiceNow UI page widgets, which serve data to portals and service catalogs, represent a third category that can unintentionally expose backend record data if widget security settings are not locked down. ServiceNow has published guidance on ACL (Access Control List) hardening for each of these endpoint types.
How do I know if my ServiceNow instance was affected?
ServiceNow will notify customers directly if they have evidence of access to your instance data. However, you should not wait for notification. Log in to your ServiceNow instance and navigate to System Logs > Transaction Logs. Filter for transactions from external IP addresses against table API paths (/api/now/table/) with HTTP method GET and a response code of 200. Any successful unauthenticated reads from external IPs are indicators of exposure. Also check your instance's security policy settings under System Security > Access Control (ACL) and confirm that your public-facing portal and API endpoints require authentication.
What data was accessible through the unauthenticated API?
The specific data accessible depended on which tables each customer's instance had exposed through misconfigured ACLs. In documented cases, exposed data included incident ticket contents (which often contain user details, system names, and internal process notes), user table records (names, email addresses, job titles, and department assignments), and configuration management database (CMDB) records describing infrastructure components. The severity of exposure varied significantly by customer: instances used for IT helpdesk would expose internal operational data, while instances handling HR or finance processes could expose more sensitive personal or financial information.
What immediate remediation steps should I take?
Work through this sequence immediately. First, run the ServiceNow Instance Security Center scan from your instance dashboard to identify ACL gaps across your API endpoints, widgets, and portals. Second, enforce authentication requirements on all Table API endpoints by setting the Requires Authentication flag to true in your REST API security settings. Third, review your public-facing service portals and disable any widgets that expose records from sensitive tables without authentication checks. Fourth, rotate any credentials or tokens that may have been accessible via exposed incident or CMDB records. Fifth, enable the ServiceNow MID Server logging to capture external API access going forward.
Did ServiceNow release a security patch for this issue?
The exposure was primarily a configuration issue rather than a platform vulnerability requiring a code patch. ServiceNow responded by publishing updated security hardening guides, activating the Instance Security Center scanning feature for all customers, and pushing mandatory security notifications to administrators of affected instances. ServiceNow also updated default ACL configurations in newly provisioned instances to restrict unauthenticated API access by default. Existing instances required manual remediation by administrators following the hardening documentation.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
