What Happened
ServiceNow, the cloud-based IT service management platform used by thousands of enterprises worldwide, has disclosed a security incident in which attackers exploited an unauthenticated API endpoint to query data from customer instances.
The root cause was a Scripted REST Resource that shipped with the requires_authentication parameter set to false. This meant the endpoint accepted requests without any valid session token, credential check, or authentication step. Threat actors identified the misconfiguration and sent queries to the endpoint at /api/now/related_list_edit/create, successfully extracting data from customer instance tables.
ServiceNow detected anomalous activity tracing back to June 2-3, 2026, and applied a silent security update to all hosted customer instances on June 5. The company notified affected customers through a support bulletin and direct cases. ServiceNow has not disclosed which customers were affected, which data was accessed, or how many instances were hit. The company says it is still evaluating whether to publish a formal CVE for the issue.
The issue primarily affected customers running the Australia platform release or those on older releases who made specific configuration changes that exposed the endpoint. ServiceNow instances routinely store sensitive enterprise data including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and workflow configurations.
Why This Matters for Canadian Organizations
ServiceNow is one of the most widely deployed ITSM platforms in Canadian enterprises, financial institutions, and government departments. The platform is used across the federal government, major Canadian banks, insurance companies, healthcare networks, and large public-sector organizations. A breach of ServiceNow instance data is not a minor misconfiguration issue — it is a serious exposure of internal IT operations, security ticket contents, change management records, and employee personal information.
The data commonly held in ServiceNow instances qualifies as personal information under PIPEDA, and depending on the nature of the records accessed, affected organizations may face breach notification obligations to the Office of the Privacy Commissioner. For organizations operating under OSFI Guideline B-13, unauthorized access to ITSM data triggers review under the third-party and technology risk management provisions, particularly where the affected data relates to technology incident records, access management workflows, or vendor relationships.
Canadian security teams should not assume that because ServiceNow applied a silent fix on June 5, their instances were unaffected. Organizations on the Australia platform release or those with non-standard REST API configurations should review access logs for calls to the /api/now/related_list_edit/create endpoint from June 1 onward. External IP 51.159.98.241 has been publicly identified as a source of malicious requests in this incident and should be checked against access logs.
What to Do
First, confirm your ServiceNow instance is running the June 5 security update or later. For hosted instances, ServiceNow applied the patch automatically — verify your instance version in the system properties and confirm with ServiceNow support if unclear. For self-hosted or private cloud deployments, contact ServiceNow support to obtain and apply the remediation. Second, audit Scripted REST Resources in your instance for any endpoints with requires_authentication set to false and review whether those endpoints should be accessible without credentials. Third, review your ServiceNow access logs for the June 2-5 window, looking for anomalous API calls and external IP activity. Fourth, if your instance stores personal information about employees or customers and unauthorized access cannot be ruled out, initiate a PIPEDA breach assessment. ServiceNow’s disclosure did not include a list of impacted customers, so affected organizations need to conduct their own investigation to assess whether their instance data was queried. Monitor the official BleepingComputer coverage and ServiceNow’s security advisories for CVE assignment and further technical detail as the investigation continues.
Source: BleepingComputer
