A misconfigured ServiceNow REST endpoint (/api/now/related_list_edit/create) shipped with authentication disabled, allowing unauthenticated access to customer instances. Attackers exploited this on June 2–3, 2026, successfully querying data from a subset of customer tenants. ServiceNow had internally documented the vulnerability since April 7 but didn't treat it as urgent until a customer forced escalation. The company patched hosted instances on June 5. Affected customers were notified directly. The issue primarily impacts the Australia platform release although according to multiple reports, customers outside Australia were also affected accorgin to the email they received. ServiceNow has release KB3067321 acknowledging the incident. A CVE is pending. If you didn't receive an email from ServiceNow, your instance may not be compromised.