ServiceNow is warning customers about a security incident involving an unauthenticated API flaw that let attackers query data from customer instances. ServiceNow has not disclosed details, but admins pointed to /api/now/related_list_edit/create, reportedly tied to requires_authentication=false. ServiceNow confirmed attackers queried customer tables.

The risk is serious because ServiceNow often stores high-value operational data: IT tickets, employee records, asset inventories, internal documentation, incident reports, workflow data, configuration details, credentials, API tokens, and troubleshooting secrets. The issue appears to affect customers on the specific releases with certain configuration changes. Admins shared indicators including 51.159.98.241; organizations must review logs for /api/now/related_list_edit, rotate exposed credentials or tokens, and validate API logging. This is a core SaaS blind spot: attackers may not need to breach the corporate network if a workflow platform exposes sensitive tables.

Stopping attacks like this requires a unified SaaS security and API observability data lake that consolidates ServiceNow audit logs, API telemetry, IAM/SSO events, ticket access records, database activity, endpoint telemetry, DNS, NetFlow/IPFIX, packet capture, and L2–L7 session analytics. With API security monitoring, SaaS posture management, data access governance, NDR, SIEM, XDR, SOAR, AI root-cause analysis, and agentic remediation, teams can detect unauthenticated API access, abnormal table queries, exposed secrets, and suspicious data movement. A platform like NIKSUN that powers 100% visibility across SaaS, identity, applications, and network traffic turns hidden API misconfigurations into actionable intelligence — blocking access and preserving a forensic audit trail.
Read more about this story on our LinkedIn page