logo

ServiceNow’s requires_authentication=false: The One Boolean That Exposed Enterprise Data Worldwide

ID: 4b031089-46db-55de-aec9-71ba263201c0

STIX ID: report--4b031089-46db-55de-aec9-71ba263201c0

Feed Name: Security Boulevard

Threat Score
82/100

Date Published: 2026-07-12

Date Updated: 2026-07-13

Author: Deepak Gupta

...
...

ServiceNow shipped a REST API endpoint (/api/now/related_list_edit/create) with requires_authentication=false, allowing unauthenticated access to customer instance data. Attackers queried IT tickets, employee records, security incident reports, and embedded credentials; anomalous activity and confirmed queries were observed on June 2–3. ServiceNow patched the issue on June 5 after receiving a bug bounty report on April 22 and publicly disclosed the incident on June 9. Organizations are advised to review logs for the endpoint and IP 51.159.98.241, rotate any credentials stored in ServiceNow, and audit Scripted REST Resources for misconfigured authentication.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.