"On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company said in an advisory that is available only to customers.
What ServiceNow says and what changed
ServiceNow disclosed a security update on June 5, 2026 that alters an endpoint configuration to limit access to authenticated users. In its advisory, the company described the underlying problem as "a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended." The update was applied to hosted customer instances; the advisory itself requires customer access to view.
ServiceNow also noted the flaw currently does not have a CVE identifier. The company said it detected anomalous activity related to the issue and observed evidence of successful queries of instance tables against a "subset of customers." Impacted customers have been notified, ServiceNow added.
Platforms, configurations, and who is affected
According to the advisory, the security issue pertains to customers who are on the Australia platform release or customers who "made certain configuration changes to instances on releases prior to Australia." ServiceNow did not publish a list of affected customers in the advisory; instead, it said it notified those it believes were impacted.
Claims from Reddit and the reported internal timeline
Details of the issue first emerged on Reddit, where a user posting as "d3s7iny" claimed its security team reported the vulnerability to ServiceNow. That Reddit comment further alleged ServiceNow had internal awareness of the problem since April 7, 2026 and that the company had classified it as a non-urgent issue for about two months, with plans to remediate in a future update.
Those claims are presented as assertions on the Reddit thread; ServiceNow's advisory does not repeat the April 7 internal date or the characterization of the internal classification timeline. The Hacker News has contacted ServiceNow for comment and said it would update the story if the company responds.
Observed exploitation and the role of unknown threat actors
ServiceNow said unknown threat actors exploited the flaw to obtain deeper unauthorized access to susceptible instances. The company reported it detected anomalous activity and "observed evidence of successful queries of instance tables" against a subset of customers. The advisory does not identify the actors or provide technical indicators beyond the change to endpoint configuration and the general description of unauthenticated access in certain circumstances.
How technologists, affected enterprises, and adversaries are likely to respond
- Technologists and security teams: They will need to verify whether their instances are on the Australia platform release or whether specific prior-release configuration changes apply. The advisory change — restricting an endpoint to authenticated users — is the remediation ServiceNow applied; teams will want to confirm the update is present on hosted instances and review logs for the "anomalous activity" ServiceNow reported.
- Affected enterprises and procurement leaders: Organizations notified by ServiceNow will have to assess the scope of the observed "successful queries of instance tables" and determine whether sensitive data or business processes were exposed. Procurement and contract teams will likely scrutinize service-level and security notification clauses relevant to hosted-instance incidents.
- Adversaries and threat actors: The advisory confirms unknown actors exploited the flaw to gain deeper access. The change to require authentication on the affected endpoint reduces that specific attack surface; however, the disclosure and the Reddit discussion together may accelerate both defensive audits and adversary scanning of similar endpoints or configurations.
ServiceNow's public advisory and the Reddit thread together establish a sequence: a vulnerability was identified in instances on or configured like the Australia platform release; ServiceNow applied an endpoint-configuration update on June 5, 2026; ServiceNow says it detected anomalous activity and has notified impacted customers; a Reddit commenter claims an April 7 internal awareness date and a prior non-urgent classification. The Hacker News has sought comment from ServiceNow and said it will update its reporting if the company responds.
The record in the advisory is specific about the fix applied and the categories of customers potentially affected, but it stops short of publishing a CVE, detailed technical indicators, or a named list of impacted customers. For organizations running hosted ServiceNow instances that match the described platform or configuration criteria, the immediate task is confirmatory: validate the June 5 update is present and review any notifications from ServiceNow about observed queries of instance tables.
