ServiceNow patches unauthenticated API exposure risk
🔒 ServiceNow notified customers after remediating a vulnerability that allowed an unauthenticated API endpoint to return tenant data under certain configurations. The issue, first reported via the vendor’s bug bounty program in April, prompted hosted updates on June 5 and guidance for self-hosted deployments. ServiceNow says affected instances were a subset of tenants and that observed activity appears linked to security researchers, though investigation continues. Customers are urged to apply updates and review logs for signs of unauthorized access.
