A recently disclosed ServiceNow flaw has come under scrutiny after the company confirmed that unknown threat actors exploited the vulnerability to gain unauthorized access to a number of customer instances. The issue, which first gained public attention through discussions on Reddit, prompted an emergency security update after evidence emerged that attackers had successfully queried customer data.
According to ServiceNow, the security issue affected certain customer environments and allowed an unauthenticated user, under specific circumstances, to obtain a higher level of access than intended. While the company has taken steps to address the problem, questions have surfaced regarding the timeline of the vulnerability and when it was first known internally.
ServiceNow Flaw and Update Following Exploitation
In an advisory released to customers, ServiceNow disclosed that it deployed a security update to hosted customer instances on June 5, 2026.
On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” the company stated. “The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”
To mitigate the risk posed by the ServiceNow flaw, the company modified an endpoint configuration so that access is restricted to authenticated users only. At the time of disclosure, the vulnerability had not been assigned a CVE identifier.
The existence of the vulnerability first became widely known through posts and discussions on Reddit, where users raised concerns about the potential impact of the issue and the timeline of the company’s response.
Threat Actors Successfully Queried Customer Data
ServiceNow said it identified unusual activity associated with the vulnerability and discovered evidence that threat actors had successfully executed queries against instance tables belonging to a limited number of customers.
The company acknowledged that a “subset of customer instances were queried successfully as part of this activity.” Customers affected by the incident have since been notified directly.
According to the advisory, the malicious activity linked to the ServiceNow flaw began on June 2, 2026. The company did not disclose the identities of the threat actors involved or provide further details regarding the information that may have been accessed through the unauthorized queries.
Which Customers Were Affected?
ServiceNow indicated that the issue primarily affected customers running the Australia platform release, as well as organizations that had implemented certain configuration changes on versions released before Australia.
“The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” the company explained.
The company emphasized that the incident was limited in scope rather than widespread across its entire customer base.
When asked about the situation, a ServiceNow spokesperson stated, “our main priority was to reach out directly to the subset of customers this [incident] affected, it was not broad.”
Reddit Claims Raise Questions About Disclosure Timeline
Beyond the technical details of the incident, discussions on Reddit have sparked debate about how long the ServiceNow flaw may have been known before exploitation occurred.
A user identified as “d3s7iny” claimed in a Reddit comment that their security team had reported the vulnerability to ServiceNow. The user further alleged that the company had been aware of the issue internally since April 7, 2026.
According to the comment, the vulnerability was reportedly categorized as a non-urgent issue for nearly two months, with plans to address it in a future software update rather than through immediate remediation.
While these claims originated from Reddit and have not been independently verified, they have fueled discussion within the cybersecurity community regarding vulnerability management and response timelines.
Bug Bounty Reports Mirrored Earlier Submission
ServiceNow’s advisory also sheds additional light on the reporting history of the vulnerability.
The company revealed that between June 3 and June 4, 2026, customers submitted reports through their bug bounty programs describing a security issue that could allow unauthenticated users to gain unauthorized access to information stored within ServiceNow instances.
“On June 3-4, 2026, customers shared submissions to their bug bounty programs regarding a security issue that could, in certain circumstances, allow an unauthenticated user to gain unwanted access to information in ServiceNow instances,” the company stated.
ServiceNow added that these reports closely resembled an earlier confidential submission that had been sent to its own bug bounty program on April 22, 2026.
“These submissions were similar to a confidential submission sent to our bug bounty program on April 22, 2026.”
