ServiceNow unauthenticated REST endpoint queried customer instance tables before a silent 5 June patch

ServiceNow disclosed on 9 June 2026 that a Scripted REST Resource at /api/now/related_list_edit/create was shipped with requires_authentication=false, so the endpoint accepted unauthenticated requests and could be used to query arbitrary customer instance tables (BleepingComputer, 2026-06-09). Anomalous activity was observed from 2–4 June from a single source IP, and ServiceNow applied a server-side fix to hosted instances on 5 June, reconfiguring the endpoint to require authentication (The Hacker News, 2026-06-10). Instances on the "Australia" platform release, or older releases with specific configuration changes, were affected; no CVE has been assigned. ServiceNow's own assessment is that the observed activity was "likely tied to security researchers or customer-led research associated with bug bounty submissions rather than malicious threat actors," while NCSC-CH GovCERT recorded the issue as "Actively Exploited" — the company confirms it saw evidence of successful table queries against a subset of customers regardless of attribution (TechCrunch, 2026-06-10). Technique class: T1190 Exploit Public-Facing Application → T1213 Data from Information Repositories, with downstream T1078 Valid Accounts if tokens stored in tickets were harvested. The advisory (KB3067321) was initially gated behind the customer support portal, so organisations that do not actively monitor it may not know a case was opened on their tenant.

Why it matters to us: ServiceNow is a reference ITSM/CMDB/HR platform across the Swiss Confederation, cantonal administrations and EU institutions, and its instances routinely hold support-ticket credentials, embedded API tokens, asset inventories and security-incident records. Audit all Scripted REST Resources for requires_authentication=false (filter sys_ws_operation on acl.requires_authentication=false), review access_log_transaction for requests to /api/now/related_list_edit in the 2–5 June window, and rotate any secrets exposed in support workflows.