ServiceNow has confirmed that attackers exploited a vulnerability in one of its API endpoints to access data from customer instances. The company deployed a security update on June 5, 2026, to remediate an unauthenticated access flaw that allowed attackers to query data directly from customer instance tables. ServiceNow has begun notifying affected customers through its support portal.
What happened, and why it matters
The vulnerability resided in a critical API endpoint that lacked proper authentication controls. Once inside, attackers could query data from customer instance tables, where ServiceNow stores everything from employee records to IT incident tickets to internal knowledge base articles. ServiceNow has acknowledged the exploitation directly and is proactively warning affected customers.
A pattern worth watching
This isn’t ServiceNow’s first security incident in recent memory. The company patched CVE-2025-12420 on October 30, 2025, which addressed privilege escalation and impersonation issues within its AI-enhanced platform. Then came CVE-2026-0542, remediated in the January-February 2026 timeframe, involving remote code execution threats.
