INSIGHTS HUB

CyberCase 360 | ServiceNow Patches Unauthenticated API Flaw After 44-Day Disclosure Gap

When your SaaS provider holds your IT tickets, employee records, and internal procedures, their disclosure timeline becomes your exposure window. The recent ServiceNow incident is a stark reminder of this reality.
4 days between confidential bug bounty submission (April 22) and patch deployment (June 5) — exploitation began June 2, three days before the fix
On June 5, 2026, ServiceNow silently patched a misconfigured API endpoint (/api/now/related_list_edit/create) that allowed unauthenticated POST requests to query customer instance tables. The vulnerability was disclosed via confidential bug bounty submission on April 22, 2026 — but exploitation activity was already underway on June 2, three days before the patch reached hosted customers.
1️⃣ WHAT HAPPENED
  1. On June 5, 2026, ServiceNow applied a security update to hosted customer instances addressing a misconfigured API endpoint (/api/now/related_list_edit/create) that permitted unauthenticated POST requests against customer instance tables.
  2. The flaw affected customers on the Australia platform release and those running earlier releases with specific customer-side configuration changes; the vulnerable endpoint was configured as a Scripted REST Resource with requires_authentication=false.
  3. ServiceNow’s June 10, 2026 advisory confirmed that anomalous activity commenced on June 2, 2026 — three days before the patch — and that “a subset of customer instances were queried successfully as part of this activity.” A second update was deployed June 10 to address a variant of the same issue.
  4. ServiceNow received a confidential bug bounty submission describing a similar issue on April 22, 2026 — 44 days before the patch was deployed. Additional bug bounty submissions arrived on June 3–4, 2026, and two further researcher reports on June 7, 2026.
  5. Unconfirmed claim (community-sourced): Reddit users — including one identifying as a customer security team — claimed via the r/servicenow community that ServiceNow had been internally aware of the issue since April 7, 2026 and had classified it as non-urgent with a planned fix in a later release. ServiceNow has not publicly confirmed these claims, and they should be treated as community allegations only until further documentation emerges.
2️⃣ BUSINESS IMPACT
[CONFIRMED] ServiceNow applied an emergency security update on June 5, 2026 for an unauthenticated access flaw on hosted customer instances (ServiceNow advisory KB3067321 via BleepingComputer, June 2026)
[CONFIRMED] “A subset of customer instances were queried successfully” — instance tables typically contain IT support tickets, employee records, change tickets, credentials, and internal documentation (ServiceNow trust advisory, The Hacker News, June 10, 2026)
[CONFIRMED] 44-day gap between confidential bug bounty submission (April 22, 2026) and patch deployment (June 5, 2026); exploitation activity began June 2, 2026 (ServiceNow advisory via BleepingComputer and The Hacker News, June 2026)
[CONFIRMED] Vulnerable endpoint identified as /api/now/related_list_edit/create; second update issued June 10 to address a variant of the same flaw (CyberSIXT, June 2026)
[CONFIRMED] ServiceNow’s updated June 10 position attributes the activity primarily to security researchers conducting responsible disclosure, not malicious threat actors; the company states no customer data was retained or misused by the researchers it identified (TechCrunch, BleepingComputer update, June 10, 2026)
[ESTIMATED] Reddit community claims ServiceNow knew internally since April 7, 2026 — unconfirmed by ServiceNow; treated as community allegation (Reddit r/servicenow via The Hacker News and Hackread, June 2026)
[CONFIRMED] No CVE identifier currently assigned and no CVSS score published (CyberSIXT, June 2026)
3️⃣ LIKELY ROOT CAUSE
• Misconfigured Scripted REST Resource at /api/now/related_list_edit/create with requires_authentication=false, allowing unauthenticated POST requests to reach customer instance tables (Source: Rescana technical analysis, June 2026)
• Vendor patch lifecycle did not prioritise auth-bypass class flaws — the confidential April 22 bug bounty submission was not immediately remediated; ServiceNow has acknowledged the timeline but not the prioritisation rationale (Source: ServiceNow advisory; community allegations re. earlier internal awareness unconfirmed)
• Pre-Australia release inheritance: customer-side configuration changes on earlier releases replicated the unsafe default, meaning the vendor patch alone is insufficient where bespoke configs were applied (Source: ServiceNow advisory scope statement)
4️⃣ CONTROL FAILURES
• [CF-1] 🔗 Third Party: ServiceNow’s vendor disclosure and remediation timeline drove the customer exposure window — affected customers had no visibility into the April 22 submission until 6+ weeks later
• [CF-2] ⚙️ Technology: Misconfigured REST endpoint exposed customer instance tables; endpoint configuration was not validated against an authentication baseline
• [CF-3] 📋 Process: No customer-side monitoring detected the anomalous unauthenticated queries — vendor-side detection was the sole control standing between attacker and data
• [CF-4] 🪪 Identity: Default endpoint configuration permitted unauthenticated POST requests against tables containing sensitive employee, ticket, and operational data
• [CF-5] 👥 People: SaaS administrators were not equipped to audit platform-release-specific endpoint configurations against vendor security baselines or detect configuration drift
5️⃣ RECOMMENDATIONS
→ [CF-1] Mandate vendor disclosure SLAs in SaaS contracts (NIS2 Article 21(2)(d) — supply chain security; ISO 27001 A.5.20 — supplier agreements): SaaS contracts must require vendor notification within a defined window of confidential bug bounty receipt for auth-bypass class issues, not only for assigned CVEs.
→ [CF-2] Audit Scripted REST Resources and custom endpoint configurations (NIS2 Article 21(2)(e) — secure development; ISO 27001 A.8.9 — configuration management): Run platform-release-aware configuration reviews after every ServiceNow release upgrade against the vendor’s published security baseline.
→ [CF-3] Deploy customer-side query and audit-log monitoring on SaaS (NIS2 Article 21(2)(b) — incident handling; ISO 27001 A.8.16 — monitoring activities): Customers must monitor anomalous query patterns on their own instances — even on SaaS — and not rely solely on vendor detection.
→ [CF-4] Apply defence-in-depth at the SaaS API layer (NIS2 Article 21(2)(j) — authentication; ISO 27001 A.5.15 — access control): Where the platform permits, layer IP allowlisting, session-origin restrictions, and WAF rules in front of SaaS API endpoints — treat them as untrusted by default.
→ [CF-5] Train SaaS administrators on platform-release security posture (NIS2 Article 21(2)(g) — cybersecurity hygiene and training; ISO 27001 A.6.3 — information security awareness): Admin teams need formal training on vendor-published security baselines, release-specific exposure, and configuration drift detection.
6️⃣ REGULATORY RELEVANCE
• NIS2 Directive — Article 21(2)(d), supply chain security: SaaS providers form part of the regulated entity’s supply chain; vendor disclosure timelines and remediation discipline are explicit risk-management responsibilities of the customer, not just the vendor.
• NIS2 Directive — Article 21(2)(b), incident handling: Auth-bypass class issues should be treated as high-severity in vendor contracts and customer-side monitoring regimes — disclosure delays compound incident response gaps.
• ISO 27001:2022 — Annex A 8.9, configuration management: Customers retain responsibility for configuration of SaaS instances, including endpoint security posture; A.5.20 (supplier agreements) requires security clauses covering disclosure and patching cadence.
• GDPR — Article 32, security of processing: Where employee, HR, or customer personal data was accessible via the flaw, the technical and organisational measures must remain proportionate to risk — including where the platform vendor controls patch timing.
7️⃣ HOW SEG CAN HELP
→ [CF-2, CF-4] 💡 SEG SaaS Configuration Review: Platform-release-aware security configuration assessment for ServiceNow, Salesforce, Microsoft 365, Workday, and other major SaaS estates — identifying misconfigured REST endpoints, exposed APIs, and drift from vendor security baselines before they become incidents. Each ServiceNow release brings new endpoints; we review them against your security baseline so you don’t inherit the vendor’s defaults.
→ [CF-2, CF-3] 💡 SEG Vulnerability Management Programme: Continuous vulnerability scanning, prioritisation, and remediation tracking across SaaS, cloud, and on-premise estates — including SaaS vendor advisory monitoring (ServiceNow KB articles, Salesforce trust notifications, Microsoft Service Health) so disclosed flaws are flagged, triaged, and closed before exploitation windows open.
→ [CF-1, CF-5] 💡 SEG SaaS Risk Posture Review: A single view of your SaaS-attack-surface — mapping every business-critical platform to data sensitivity, vendor disclosure history, configuration exposure, and renewal/SLA position. Gives leadership the information they need to push back on vendors and harden customer-side controls.
🎯 STRATEGIC SIGNAL
This incident exposes a structural truth about SaaS: when your CRM, ITSM, or HRIS holds your most operationally sensitive data, your security posture is partly determined by your vendor’s disclosure speed. A 44-day gap between confidential bug bounty submission and patch — during which exploitation began — is not unique to ServiceNow. Every SaaS platform has a disclosure-to-patch lifecycle, and customers are paying the cost of that latency without visibility into it. The defensive answer is not to wait for vendor advisories — it is to assume vendor delay and run customer-side controls accordingly.
💬 SEG EXPERT OPINION — Volodymyr Lytvyn, Cyber Lead, SEG
SaaS platforms are the crown jewels — and the attack surface. ServiceNow holds the IT support tickets, employee records, change tickets, and internal procedures of essentially every large enterprise that uses it; the equivalent platforms hold the customer relationships, the people data, the financial records. When the platform itself ships with a misconfigured endpoint, the customer’s security maturity becomes irrelevant: the data is exposed regardless. The lesson of this week is that SaaS configuration cannot be left to vendor defaults — every release brings new endpoints, new APIs, and new behaviours that must be reviewed against the customer’s own security baseline. Vulnerability management cannot stop at on-premise patching; it must extend into vendor advisory monitoring, configuration drift detection, and continuous validation that what the SaaS provider exposes externally is what the customer authorised. In SaaS, customer-side controls are the only controls the customer can actually run — and the 44-day disclosure gap on this incident shows exactly why running them matters.
 SEG EXPERT OPINION — Volodymyr Lytvyn, Cyber Lead, SEG

Third-party risk management is not optional — it is mandatory under both the **NIS2 Directive Article 21(2)(d)** and **ISO 27001:2022 Annex A controls 5.19 through 5.23**. Vendor cybersecurity assessments cannot be a procurement checkbox; they must be a continuous, evidence-based process integrated into every supplier and tool adoption decision. The Miasma campaign proves the consequence of getting this wrong: when GitHub itself — the platform hosting the world’s code — has 73 internal repositories disabled in 105 seconds because credentials from a prior incident were never rotated, every organisation downstream of that supply chain inherits the failure. We mitigate risk, we do not accept it: the regulatory regime no longer permits the latter, and the threat actor ecosystem will continue to exploit organisations that confuse the two. For organisations without dedicated cybersecurity leadership, **our vCISO service exists for exactly this gap** — running the third-party assessment programme on your behalf so the regulatory requirement becomes operational reality.

Stay informed. Stay secure.

Get 1–2 expert insights monthly — straight to your inbox.

Explore more insights and updates

Our Partners & Vendors

Scroll to Top