Executive Summary
On 9 June 2026, ServiceNow disclosed an incident in which unknown threat actors exploited a flaw to gain deeper unauthorized access to susceptible customer instances.
On 5 June 2026, ServiceNow applied a security update to hosted customer instances to address an issue that could allow an unauthenticated user, under certain circumstances, to gain greater access to ServiceNow instances than intended.
Key Takeaways
- Active exploitation confirmed: ServiceNow detected anomalous activity relating to the security issue and observed evidence of successful queries of instance tables against a subset of customers.
- Affected scope: The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia.
- No CVE yet: The security flaw currently does not have a CVE identifier.
Mitigation Options
- Apply the patch: ServiceNow deployed a security update on 5 June 2026, which modifies an endpoint configuration to restrict access to authenticated users only. Ensure hosted instances have received this update.
- Check if instances affected: ServiceNow has notified impacted customers directly, so monitor communications from ServiceNow and review instance activity logs for anomalous table queries.
- Review configuration changes: If your organization made custom configuration changes to instances on pre-Australia releases, audit those changes promptly as they may have increased exposure.