ProBackend
cloud security incidents
1 hour ago6 min read

ServiceNow’s Blind Spot: How an Unauthenticated API Endpoint Exposed Customer Secrets

Attackers exploited a misconfigured ServiceNow API endpoint to query customer data—while the vendor delayed action, waiting for a bug bounty report to trigger a fix.

The Patch That Came Too Late

It wasn’t a zero-day. It wasn’t even a secret.

The endpoint /api/now/related_list_edit/create had been configured with requires_authentication=false for years—likely since the Australia release. No one noticed. No one audited it. Not the customers. Not ServiceNow’s own security team.

Then, on April 22, 2026, someone submitted a bug bounty report. Confidentially. Quietly. No fanfare. No CVE. No alert.

And then… silence.

For six weeks.

It wasn’t until June 5, after attackers began probing customer instances from IP 51.159.98.241, that ServiceNow finally pushed a patch. Not because they were scared. Not because they’d been breached. But because someone else had already started exploiting it.

This isn’t a story about hackers. It’s about how vendors treat vulnerability reports like paperwork to file—and not as alarms to answer.

If you’re a ServiceNow admin, and you haven’t checked your API logs since January, you’re already compromised.

And you didn’t even know it.

The Endpoint That Shouldn’t Exist

Let’s be clear: this wasn’t a flaw in the code.

It was a configuration error. A checkbox left unchecked. A default value ignored.

The /api/now/related_list_edit/create endpoint was meant to be a backend tool for internal ServiceNow engineers to manage related list edits during platform upgrades. It was never meant to be exposed to customers.

But somewhere along the way—probably during a configuration drift audit that never happened—it was left open. And worse: it was left open without authentication.

Why? Because ServiceNow’s platform has thousands of endpoints. And most of them are never reviewed. Not by customers. Not by auditors. Not even by their own security team.

This isn’t a bug. It’s a culture problem.

The endpoint didn’t just expose ticket data. It exposed:

  • Employee records pulled from HR workflows
  • API tokens passed during support case resolution
  • Internal documentation shared in incident reports
  • Configuration snapshots of connected systems
  • Legacy credentials buried in workflow scripts

And because ServiceNow hosts thousands of customers on shared infrastructure, a single unauthenticated query could return data from multiple tenants.

That’s not a breach.

That’s a systemic failure.

The Timeline No One Talks About

April 22, 2026: A researcher submits a confidential bug bounty report detailing the unauthenticated endpoint. ServiceNow’s team acknowledges receipt. No public notice. No internal alert. No patch.

May 10, 2026: The first anomalous API calls appear in logs. Same IP. Same endpoint. Same pattern. ServiceNow’s threat intel team flags it as "likely a customer’s internal audit tool." They don’t investigate further.

May 28, 2026: A second wave of queries hits. This time, the requests include X-User-Agent: Mozilla/5.0 (compatible; DataHarvester/1.0). Still no action. No escalation.

June 3, 2026: A customer reports suspicious activity in their support ticket logs. ServiceNow’s support team opens a ticket. Still no security response.

June 5, 2026: ServiceNow deploys a patch to set requires_authentication=true on the endpoint. They issue a silent bulletin to affected customers. No press release. No CVE. No public warning.

June 9, 2026: BleepingComputer publishes the story. ServiceNow finally admits the incident. They claim the activity was "likely tied to bug bounty submissions."

Wait.

They knew about the vulnerability for six weeks.

They saw the exploitation.

And they waited.

Why?

Because they didn’t think it mattered.

Until someone else made it matter.

What Was Stolen? (And Why You Should Care)

ServiceNow won’t say what data was accessed.

That’s not because they don’t know.

It’s because they’re afraid of the answer.

Here’s what could have been pulled:

  • Support ticket contents: These aren’t just logs. They’re treasure troves. Customers share passwords, API keys, and internal network diagrams during troubleshooting. One ticket might contain the credentials to your AWS account.
  • Employee records: Names, emails, job titles, department assignments—often synced from Active Directory or HRIS systems.
  • Asset inventories: Hardware serial numbers, software licenses, IP assignments. Perfect for social engineering.
  • Workflow scripts: JavaScript snippets that call external APIs. Some still use hardcoded credentials.
  • Security incident reports: Internal logs of past breaches. Attackers use these to map your defenses.

And here’s the kicker: if you’re on the Australia release—or any release where someone enabled "allow unauthenticated access to related lists"—you were vulnerable.

No one told you.

No one warned you.

And now, six weeks later, you’re being asked to rotate credentials you didn’t know were exposed.

This isn’t incident response.

It’s damage control.

The Indicators: What to Look For in Your Logs

If you’re a ServiceNow admin, stop reading. Go check your logs.

Right now.

Here’s what you’re looking for:

  • Endpoint: /api/now/related_list_edit/create
  • HTTP Method: POST
  • User-Agent: Any non-ServiceNow agent (e.g., curl, Python-urllib, DataHarvester)
  • Source IP: 51.159.98.241 (confirmed malicious)
  • Response Code: 200 OK with large JSON payloads (not errors)
  • Timing: Repeated requests between 2:00–4:00 AM UTC

Run this query in your ServiceNow audit log:

sys_audit WHERE table_name = 'related_list_edit' AND operation = 'create' AND user = 'anonymous' AND source_ip = '51.159.98.241'

If you see results? You were breached.

And if you don’t? You’re still at risk.

Because the patch was applied on June 5.

But the vulnerability existed for years.

You don’t know what was taken.

You don’t know who took it.

And you don’t know if they’re still inside.

Your Action Plan: Don’t Wait for Another Patch

Here’s what you do now:

  1. Rotate all credentials used in ServiceNow workflows. That includes API keys, OAuth tokens, and service account passwords. Even if you think they’re "safe."
  2. Enable API logging. If you don’t have it turned on, you’re flying blind. Go to System Security > Audit > Enable Logging.
  3. Audit all custom scripts. Look for hardcoded credentials. Look for GlideAjax calls to unauthenticated endpoints.
  4. Check your release version. If you’re on Australia or older, and you ever enabled "allow unauthenticated access to related lists," you’re vulnerable.
  5. Block 51.159.98.241 at the network level. Even if the endpoint is patched, this IP is now known bad.
  6. Review all support tickets from March–May 2026. Look for any mention of credentials, tokens, or internal systems.

And here’s the hardest part:

Don’t assume you’re clean.

ServiceNow didn’t tell you who was affected.

They didn’t tell you what was taken.

They didn’t even tell you how many customers were exposed.

So you have to assume you’re one of them.

The Real Crime: Waiting for a Bug Bounty to Fix a Known Flaw

Let’s be honest.

This wasn’t a sophisticated attack.

It was a lazy one.

The attacker didn’t need zero-days. They didn’t need phishing. They didn’t need malware.

They just needed to know that ServiceNow doesn’t care.

And they were right.

A bug bounty report sat in a queue for six weeks.

Exploitation began.

And still, no action.

Until it became public.

That’s not a security failure.

That’s a moral one.

ServiceNow built a platform trusted by hospitals, banks, and governments.

And they treated a critical vulnerability like a backlog item.

They didn’t fix it because it was dangerous.

They fixed it because someone else made it visible.

That’s not leadership.

That’s negligence.

And if you’re still using ServiceNow without auditing your API exposure? You’re trusting the same company that let this happen.

Ask yourself:

Who’s really protecting your data?

And why are you still letting them?

Final Thought: The CVE That Never Came

ServiceNow says they’re evaluating whether to issue a CVE.

Let me translate that:

"We’re not sure if this was bad enough to warrant public shame."

That’s the mindset that got us here.

This isn’t a CVE issue.

It’s a culture issue.

And until vendors stop treating security like a compliance checkbox—and start treating it like a moral obligation—we’ll keep seeing this exact same story.

Again.

And again.

And again.

This time, don’t wait for the patch.

Audit your systems.

Assume you’re breached.

And don’t trust anyone else to protect you.

Because they won’t.

The Patch That Came Too Late

Related blogs

cloud security incidents

Android Security Update: Addressing Critical Vulnerabilities in June 2026 Patch

Google has released its June 2026 Android security patches, addressing 124 vulnerabilities including an actively exploited high-severity zero-day flaw (CVE-2025-48595).

33 minutes ago · 3 mincloud security incidents

Inside Utah's AI Prescription Pilot — and the Medical Board That Wants It Shut Down

Utah became the first state to let an AI chatbot renew prescriptions without a doctor's direct sign-off, partnering with startup Doctronic under a regulatory sandbox. But the Utah Medical Licensing Board has demanded an immediate suspension, citing patient-safety risks, and independent red-team researchers have demonstrated that the system can be jailbroken to inject dangerous medical advice.

2 hours ago · 8 mincloud security incidents

The Court That Can Kill Laws Without Writing Them

The Supreme Court’s power to strike down laws isn’t in the Constitution—it’s a quiet, dangerous habit built on one 1803 ruling and decades of self-restraint.

2 hours ago · 3 min
More engineering analysis and backend guidance from ProBackend.
More blogs