ServiceNow Patches API Vulnerability That Exposed Customer Data to Unauthenticated Access
ServiceNow patched an API flaw on June 5, 2026, that allowed unauthenticated users to access customer instance data without proper credentials. The vulnerability primarily affected customers on the Australia platform release and older versions with custom configurations, though some non-Australian users reported evidence of external access. The incident highlights risks to enterprise cloud platforms that store sensitive business data including IT tickets, employee records, and system credentials.
ServiceNow disclosed a security vulnerability in an API endpoint that permitted unauthenticated attackers to query customer instance tables and gain unauthorized access to sensitive enterprise data. The company applied a fix on June 5, 2026, reconfiguring the endpoint to require authentication. While ServiceNow stated the issue primarily affected customers on its Australia platform release and those running older releases with certain configuration changes, Reddit users and network defenders reported evidence of external access from IP address 51.159.98.241 affecting instances outside Australia. The company notified affected customers through support cases but has not disclosed what specific data was accessed, how many customers were impacted, or how long the vulnerability remained exploitable. ServiceNow customers store critical business information on the platform including IT support tickets, employee records, internal documentation, asset inventories, and system credentials, making the platform a high-value target for attackers.
What's missing
The sources do not clarify the timeline of when the vulnerability was first introduced or how long it remained exploitable before the June 5, 2026 patch. Additionally, neither source provides information on whether ServiceNow has disclosed the total number of affected customers or conducted a forensic investigation into what data was actually exfiltrated.
How coverage differed
TechCrunch emphasizes the lack of transparency and unanswered questions ("It's not clear who had improper access... what data was accessed"), while TechRadar focuses more on the technical details and remediation steps customers should take. TechCrunch also highlights the discrepancy between ServiceNow's claim of Australia-only impact and Reddit reports of non-Australian instances being affected, whereas TechRadar presents ServiceNow's official scope without this contradiction.
What different sources said
- TechRadarCenter
ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened
- TechCrunchCenter
ServiceNow tells customers a bug left some of their data exposed to the internet
Related
Potensic Atom 3 Drone Offers DJI Alternative for Global Markets, But Faces US Import Ban
Potensic has released the Atom 3, an upgraded beginner drone featuring a larger sensor, 4K 60fps video, improved battery life, and AI tracking capabilities at competitive pricing ($429.99-$549.99). The drone competes directly with DJI's Lito X1 but faces the same regulatory barriers as DJI in the US market due to a ban on foreign-made drones. The availability restrictions highlight ongoing US trade restrictions on Chinese drone manufacturers and limit consumer choice in the American market.
Wing and Walmart Expand Drone Delivery to Seven Additional U.S. Cities
Alphabet-owned Wing and Walmart are expanding their drone delivery partnership to seven new U.S. cities including Memphis, New Orleans, Philadelphia, Phoenix, San Diego, the San Francisco Bay Area, and Salt Lake City. The expansion is part of a plan to reach over 270 Walmart locations by next year, building on successful deployments in Atlanta, Dallas-Fort Worth, and Houston. The move signals that drone delivery is transitioning from a novelty service to a mainstream logistics option, with Wing having completed over 1 million commercial deliveries.
Anthropic CEO Calls for FAA-Style Regulation of Powerful AI Models
Anthropic CEO Dario Amodei published an essay calling for government regulation of powerful AI models, comparing the approach to FAA oversight of commercial aviation. The proposal includes mandatory third-party testing for frontier models and potential government authority to block or delay their deployment if they pose safety risks. The call comes as Anthropic released Claude Fable 5 and an updated Claude Mythos 5 model with advanced cybersecurity capabilities.