American software behemoth ServiceNow has disclosed a “security incident” that allowed unauthorized access to customer data. The company says it pushed an update to secure hosted customer instances. Users fear the company knew about the issue for months. An updated security advisory from the company attributes the incident to security researchers.

ServiceNow started issuing notifications to customers about unauthorized activity in their environments. According to a customer-only bulletin, a security issue allowed unauthorized users “to gain greater access to ServiceNow instances than intended.”

To make matters worse, ServiceNow claims the company has observed “anomalous activity relating to the security issue.”

“For a subset of customers, we have observed evidence of successful queries of instance tables. We have notified customers if successful queries were observed via case,” reads the bulletin.

Meanwhile, the company confirmed to Cybernews that it applied a security update to hosted customers.

“The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended,” a ServiceNow statement, shared with Cybernews, reads.

“The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended,”

ServiceNow said.

After the article was published with ServiceNow's statement, the company issued a security advisory detailing the incident. According to the company, on June 3rd-4th, customers submitted a bug bounty report about a security issue that allowed unauthorized access.

ServiceNow claims these submissions were similar to ones the company received on April 22nd. Meanwhile, in early June, ServiceNow noted “unattributed activity” on a subset of customer instances, prompting and investigation into the matter.

“On June 7th, 2026, two security researchers submitted a report to our bug bounty program. Based on our investigation to date, we have reason to believe the observed activity can be attributed to security researchers or customers conducting their own research,” reads the company's advisory.

ServiceNow explained it is continuing an investigation into the matter. However, the official position of the company appears to be that all unauthorized activity is attributed to researchers that were trying validate their findings.

What caused the ServiceNow incident?

Users on the ServiceNow-dedicated Reddit forum shared their insights about the incident, noting that the most likely cause was the software maker pushing an update with the security setting turned off.

Users noted that ServiceNow remained vague about the security issue. The company’s bulletin notes that the issue “pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” in essence confirming what Redditors were saying.

Namely, the bug affected earlier versions of the company’s software (ServiceNow names its software releases alphabetically after cities/regions).

Interestingly, one user alleges the company may have been aware of the issue for months. Apparently, after a security team reached out to ServiceNow, the company’s support agents suggested closing the case and not worrying about it.

The same Reddit user continued, saying that after escalation, they were put on hold and later shown problem record tickets that revealed ServiceNow had been aware of the claims since early April.

“They showed us an internal PRB showing that ServiceNow has been aware of the vulnerability since April 7th and did not clarify it as a threat. They were targeting to fix it in Brazil before our report,” the Reddit user explained.

We asked ServiceNow to clarify whether these claims were true, but we have not received a response.

It is unclear how many customers were affected by the security incident at the time of writing. However, ServiceNow’s security bulletin said impacted customers were contacted by the company.

The company did not specify what type of data the unauthorized access may have exposed. However, given that ServiceNow works with multiple large corporations, details may range from IT infrastructure to employee details and everything in between.

At the same time, the company is still evaluating whether to publish a CVE for the issue.

Earlier this year, an AI security vulnerability called “BodySnatcher” affected ServiceNow’s Virtual Agent API and Now Assist AI Agents. According to the researcher who first discovered it, it could have enabled an attacker to impersonate privileged users and drive AI agent workflows to create backdoor access.

Meanwhile, in 2023, researchers discovered a ServiceNow flaw that may have allowed unauthorized access to its systems.

The California-headquartered ServiceNow is a major IT services provider, with early revenue exceeding $13 billion last year, and a staff of nearly 30,000.

Updated on June 12th [06:35 a.m. GMT] with details from ServiceNow's security advisory. As the company attributes the incident to security researchers, we've updated the article to reflect information shared via the security advisory.

---

Unlock more exclusive Cybernews content on YouTube.