Cloud technology giant ServiceNow has notified some of its customers that a software bug on its platform was allowing anyone on the internet to access their data. According to a report in TechCrunch, a knowledge base article, which ServiceNow has hidden behind a login wall but has been shared on Reddit, says that the company on June 5 patched some customer instances to fix a bug that had allowed unauthenticated users to “gain greater access” to ServiceNow-hosted data than intended.The bug is said to have allowed potentially anyone to access data stored in customer instances without requiring credentials, such as a password. On June 5, 2026, ServiceNow applied a security update that concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.
Here’s what the post on Reddit says about the data leak
According to a post on Reddit, ServiceNow told some users that “We have detected anomalous activity relating to the security issue. For a subset of customers, we have observed evidence of successful queries of instance tables. We have notified customers if successful queries were observed via case. If you have not received a case from us, then we did not observe such activity in connection with your instance and no action is currently required.”It further said: “We have taken steps to provide this security update to partners and customers.” The post has also shared an FAQ published by the company.
Frequently Asked Questions
Q: Is my instance in scope of the security issue?A: The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia.Q: Will additional actions be required later?A: If additional customer action is required, we will update this KB. Please subscribe to this KB to be informed of future updates.Q: Will a CVE be published?A: ServiceNow is currently evaluating publishing a CVE based on our internal policies and procedures. We will update this KB when we have more information to share.How customers can check if their data has leakedSimilarly, Network defenders shared an IP address, 51.159.98.241, in a Reddit post and said that it is an indicator of potential data access if found in a customer’s logs.A few things I’d recommend regardless of your release:
- Hunt the IOC now: 51.159.98.241 is the confirmed source IP floating around this thread. If you have transaction logs, filter for that IP + the /api/now/related_list_edit path. Five hits seems to be typical for affected tenants.
- Don’t trust the Guest user framing. The attacker showing up as Guest doesn’t mean a Guest account did anything – it just means the endpoint had no auth context to log against. Your alert rules probably aren’t tuned for that.
- If you don’t have REST message logging enabled, you’re flying blind on payload. You can confirm the request happened but not what was requested or returned. Document that gap now before your CISO asks.
