According to the company’s advisory, the vulnerability was initially reported through ServiceNow’s bug bounty program in April, prompting an investigation and subsequent security updates. ServiceNow said hosted customers received a security update (KB3067321) on June 5, while guidance (KB3067372) was issued for self-hosted deployments.
The flaw appears to have affected tenants running specific versions and configurations. Cory Michal, CISO at SaaS and AI security company AppOmni, said the issue involved “An unauthenticated, internet-facing ServiceNow API endpoint” that could be accessed without authentication when certain conditions were present.
“In practical terms, anyone who knew the endpoint URL and how to structure the request could access data from the affected ServiceNow tenant without authenticating first,” Michal said.
Because ServiceNow often stores IT service requests, employee information, and internal security data, unauthorized access to customer instances can pose significant risks to enterprises.
