0 credentials
Required to query any ServiceNow customer instance table via the vulnerable endpoint
4 days
Gap between ServiceNow's silent June 5 patch and June 9 public disclosure
~5 API hits per tenant
Observed exploitation pattern: targeted queries per compromised ServiceNow instance
3,066+
Enterprise customers at the $1M+ ACV tier in ServiceNow's 2026 customer base

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Attackers queried IT tickets, employee records, asset inventories, and embedded credentials from ServiceNow customer instances without a single valid credential between June 2 and June 3, 2026, exploiting an unauthenticated REST API endpoint that ServiceNow silently patched four days before publicly disclosing the breach on June 9, 2026.

The ServiceNow data breach centers on a Scripted REST Resource deployed with the requires_authentication field set to false. The vulnerable endpoint, /api/now/related_list_edit/create, accepted any HTTP request without session validation, token verification, or credential checks. Attackers sent structured queries directly to the endpoint and received table data from customer instances as if they were authenticated administrators. ServiceNow detected the anomalous activity and applied a fix on June 5, setting requires_authentication to true. The company notified a subset of customers through direct support cases, but issued no public advisory before BleepingComputer inquired on June 9.

Any organization running ServiceNow on the Australia platform release, or on an older release with a specific misconfiguration, should treat this as an active exposure today. ServiceNow instances store the operational core of enterprise IT: support tickets that contain embedded passwords, API keys, MFA recovery codes, and network configuration details employees wrote down during normal troubleshooting. Attackers who ran queries June 2 and June 3 now hold a credential inventory from organizations they may not have previously compromised. Organizations that have not audited their logs for the IOC IP are operating without visibility into an exposure that could become the entry point for a follow-on attack.

How Does the ServiceNow Unauthenticated API Vulnerability Work?

The ServiceNow data breach exploits the platform's Scripted REST API feature, which lets platform administrators define custom HTTP endpoints within their ServiceNow instance. Each Scripted REST Resource carries an authentication configuration field, requires_authentication, that controls whether the endpoint enforces session validation before processing the request.

When set to false, the endpoint accepts any HTTP request without checking for a valid session token, OAuth credential, or user login. The vulnerable endpoint at /api/now/related_list_edit/create shipped on the Australia platform release with requires_authentication=false. An attacker with network access to the instance could send an unauthenticated POST request to this endpoint and receive structured table data in response, exactly as an authenticated administrator would.

The query executes within the context of the ServiceNow application server, bypassing the login layer entirely. ServiceNow's underlying access control list (ACL) framework is a separate layer from authentication. Disabling authentication does not automatically trigger ACL enforcement. In many configurations the request is processed under a guest or service account context that inherits permissive default access to platform tables.

ServiceNow's ITIL-based architecture stores operational data in a flat table model. A successful query against /api/now/related_list_edit/create can return related list entries from incident records, change requests, knowledge articles, and configuration item data depending on the relationship definitions in the target instance. Security researchers reporting on the incident observed approximately five API hits per affected tenant, indicating attackers ran targeted queries rather than bulk table dumps.

The attack requires no user interaction, no credentials, no prior access, and generates no authentication failure events in the platform's standard security log. Detection depends entirely on API request logging and anomaly detection.

Which ServiceNow Releases and Customers Are Affected?

The ServiceNow data breach primarily affects organizations running the ServiceNow Australia platform release. The Australia release is a regionally designated distribution channel, not a geographic restriction. It delivers a specific software version to customers assigned to that track, which may include organizations outside Australia depending on contract and provisioning terms.

A secondary category of affected customers includes organizations on older releases who made specific configuration changes that reproduce the vulnerable state. ServiceNow has not disclosed the full list of affected releases or the total number of impacted customers as of June 10, 2026.

ServiceNow's 2026 customer base includes 3,066-plus enterprise accounts at the $1M+ annual contract value threshold and a broader platform footprint spanning every major industry. Healthcare organizations use ServiceNow for patient scheduling, clinical support workflows, and HR management. Financial services firms use it for vendor risk management and audit processes. Defense and government agencies use it for cleared facility operations and IT asset tracking. Critical infrastructure operators use it for operational technology change control. A successful query against an unpatched instance between June 2 and June 5 may have returned data from any of these operational domains.

Self-hosted and private cloud ServiceNow deployments that manage their own update schedules may not have received the June 5 patch. ServiceNow's security notice confirmed the fix was applied to hosted (NOW Platform cloud) instances. Organizations with self-managed deployments should verify their patch status directly with ServiceNow support and confirm the Scripted REST Resource authentication setting in their own configuration.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

What Data Was Stored in ServiceNow That Attackers Were After?

The ServiceNow data breach is dangerous specifically because of what ServiceNow instances contain. IT service management platforms are operational hubs where employees report broken things, request access, and document sensitive configurations. Support tickets routinely include embedded credentials shared during troubleshooting, API keys submitted in help requests, multi-factor authentication recovery codes provided by support staff, network diagrams and asset inventories, and internal documentation about security controls.

An attacker with read access to an organization's ServiceNow incident table holds a credential map assembled by the victim organization's own employees over months or years of normal operations. A 2024 help desk ticket asking IT to reset a VPN password may contain the replacement password in the response thread. A change request for a firewall modification may contain the device credentials used to execute the change. A software access request may contain a service account token submitted for approval.

This is the same pattern documented in SaaS platform credential theft campaigns targeting enterprise help desk tools: attackers who compromise a platform's API do not need to defeat encryption or endpoint security. They query the operational history the employees themselves created.

Data retrieved June 2-3 can fuel follow-on attacks against the same organizations weeks or months later, after the original exposure fades from incident response priority. Organizations that rotate credentials immediately after detection are protected. Organizations that audit only their ServiceNow security logs without rotating the embedded secrets in accessible tickets remain exposed even after applying the June 5 patch.

Support tickets commonly store credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting.

Triskele Labs incident analysis, June 2026

IOCs and Attack Signatures: What to Check in Your ServiceNow Logs

The ServiceNow data breach has one confirmed network-level IOC as of June 10, 2026. Organizations should check their transaction logs for any requests to the vulnerable endpoint during the active exploitation window.

The ServiceNow Transaction Log is available under System Diagnostics in the Admin UI. Any entry showing a Guest user account performing queries against /api/now/related_list_edit/create should be treated as confirmed unauthorized access. The Guest user activity is the clearest platform-level indicator that authentication enforcement failed.

API logging must be enabled to perform this audit. If your instance does not have API request logging configured, you cannot determine whether you were targeted. Enable it immediately via System Properties: set com.glide.sys.log_caller_info to true.

After auditing ServiceNow logs, pivot the attacker IP across all other enterprise systems, WAF logs, proxy logs, and cloud access logs. A source that successfully queried ServiceNow tables may have also probed other exposed APIs, SaaS platforms, or public-facing services during the same window. The credential leak patterns documented in large-scale dark web exposure events show that attackers who gain SaaS platform access routinely expand to adjacent targets using credentials found inside.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Verify and Remediate Your ServiceNow Exposure

Follow these seven steps to confirm patch status, detect exploitation, and close the exposure window. Work through them in order.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why the ServiceNow Data Breach Matters for Enterprise Security Teams

The ServiceNow data breach is a template for a category of risk that most enterprise security programs underestimate: the SaaS platform that sits inside the perimeter and is trusted precisely because it requires authentication to access, but which becomes a browsable archive of operational secrets the moment that authentication check fails.

Most enterprise security programs focus on protecting data at the source: encrypting databases, hardening servers, monitoring for exfiltration events. ServiceNow bypasses that model because employees voluntarily write credentials, network details, and access instructions into support tickets and change requests as part of normal IT operations. The platform is designed to be searched and shared. When an unauthenticated API endpoint bypasses the login layer, an attacker does not need to defeat endpoint detection, pivot through multiple systems, or crack encrypted storage. They query the help desk.

ServiceNow is not the only enterprise SaaS platform with this risk profile. Any platform that employees use to document operational information, request access, or share troubleshooting details holds the same type of credential inventory. Salesforce instances, Jira projects, Confluence spaces, and Zendesk ticket queues all accumulate credentials over time when employees treat them as secure-by-default internal tools.

The four-day gap between ServiceNow's quiet June 5 patch and the June 9 public disclosure is a process problem that compounds the technical risk. Organizations cannot audit for an incident they do not know occurred. Security teams that detected nothing unusual between June 5 and June 9 are not necessarily unaffected. They may simply have lacked the log visibility to see five API hits against one endpoint during a two-day window.

The bottom line

The ServiceNow data breach exposed IT tickets, embedded credentials, and employee records from customer instances via an unauthenticated REST API endpoint between June 2 and June 3, 2026. Three takeaways: the patch was silent on June 5, four days before disclosure; Guest user activity in transaction logs is the clearest sign of exploitation; and rotating embedded ticket credentials matters as much as patching the endpoint. Audit your ServiceNow transaction logs for 51.159.98.241 and Guest user activity against /api/now/related_list_edit/create before end of day today. For a full API ACL hardening checklist and SIEM detection query templates, see our ServiceNow data breach security analysis.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is the ServiceNow data breach?

The ServiceNow data breach is a June 2026 security incident where attackers exploited a Scripted REST Resource endpoint configured with requires_authentication set to false. The vulnerable endpoint accepted unauthenticated HTTP requests and returned table data from customer ServiceNow instances without any login, token, or credential check. Exploitation was observed June 2-3, 2026. ServiceNow patched the endpoint on June 5 and disclosed the incident on June 9.

How does the ServiceNow unauthenticated API vulnerability work?

The vulnerable endpoint /api/now/related_list_edit/create shipped on the Australia platform release with the requires_authentication field set to false. Any HTTP request to this endpoint bypassed ServiceNow's login layer entirely. The platform's access control list framework operates separately from the authentication layer, so the unauthenticated request was often processed under a permissive guest context with read access to multiple tables including incidents, change requests, and knowledge articles.

Which ServiceNow customers are affected by the June 2026 security incident?

The incident primarily affects organizations on the ServiceNow Australia platform release and customers on older releases who made configuration changes that enabled the same vulnerable state. ServiceNow has not disclosed the total number of impacted customers. Self-hosted or private cloud deployments that have not applied the June 5 patch remain vulnerable until they manually remediate.

What data was exposed in the ServiceNow breach?

ServiceNow instances typically store IT support tickets, change requests, employee records, asset inventories, and security incident reports. Support tickets frequently contain embedded credentials, API keys, multi-factor authentication recovery codes, and network configuration details that employees share during troubleshooting. Attackers who queried tables during June 2-3 may have accessed any of this data depending on what tables were accessible in the guest context on each affected instance.

Has ServiceNow assigned a CVE to this vulnerability?

ServiceNow had not assigned a CVE as of June 10, 2026. The company was still evaluating whether to publish a CVE at the time of disclosure. ServiceNow applied a security update to hosted instances on June 5, 2026, four days before public disclosure. Organizations should monitor ServiceNow's security advisories portal for a formal CVE designation and update their vulnerability tracking accordingly.

How do I detect unauthorized access to my ServiceNow instance?

Search the ServiceNow Transaction Log under System Diagnostics for any requests to /api/now/related_list_edit/create between June 1 and June 6, 2026. Filter for activity associated with the Guest user account. Any Guest user transaction against this endpoint during that window indicates unauthenticated exploitation. You must have API request logging enabled (com.glide.sys.log_caller_info set to true in System Properties) to conduct this audit. Also check all logs for traffic from 51.159.98.241.

What should I do if my ServiceNow instance was accessed without authorization?

Confirm the June 5 patch is applied first. Then rotate all credentials, API tokens, OAuth secrets, and passwords documented in incident or change tickets from the past 12 months. Notify affected employees whose account data appeared in accessible tables and enforce MFA reauthentication. Audit all Scripted REST Resources to confirm requires_authentication is true on every endpoint. Block 51.159.98.241 at the perimeter and pivot the IP across other enterprise log sources for lateral movement evidence.

Can attackers reuse credentials found in ServiceNow support tickets?

Yes. Support tickets routinely contain plaintext credentials that employees share during troubleshooting, including VPN passwords, service account credentials, API keys, and MFA recovery codes. Attackers who queried ServiceNow tables via the unauthenticated endpoint now hold a credential inventory from affected organizations. These credentials can be used in follow-on attacks against other systems weeks or months after the original breach, making rotation equally important to patching the vulnerable endpoint.

Sources & references

  1. BleepingComputer: ServiceNow discloses security incident exposing customer data
  2. Triskele Labs: ServiceNow Unauthenticated API Access Exposing Customer Instance Data
  3. Cybernews: ServiceNow data breach security issue gives attacker access
  4. The CyberSec Guru: ServiceNow API Breach What Customers Need to Know Now

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.