The Configuration That Should Not Exist
ServiceNow disclosed a security incident in June 2026 involving a REST API endpoint — /api/now/related_list_edit/create — that was configured with requires_authentication=false. This is not a buffer overflow, not a race condition, not a cryptographic weakness. It is a boolean flag. A single configuration value that determines whether an API endpoint requires a login. It was set to false. On a production endpoint. Of the enterprise IT platform used by most of the Fortune 500.
A bug bounty researcher reported the vulnerability on April 22, 2026. ServiceNow deployed the patch on June 5, 2026 — 44 days later. During that window, ServiceNow acknowledged that 'unattributed activity' was observed on customer instances. ServiceNow later characterized this activity as 'security researchers or customer-led research' rather than malicious exploitation. Whether the characterization is accurate, the fact remains: for 44 days, an unauthenticated API endpoint exposed customer data on a platform that stores IT support tickets, employee records, internal documentation, asset inventories, security reports, and workflow data.
What ServiceNow Stores
ServiceNow is not a website builder or a content management system. It is the operational nervous system of enterprise IT. Organizations use ServiceNow to manage: IT support tickets (including details of security incidents), employee onboarding and offboarding workflows (including access provisioning), change management records (including infrastructure modification approvals), asset inventories (including server names, IP addresses, and configuration details), vulnerability management workflows (including scan results and remediation timelines), and audit compliance documentation.
An unauthenticated API endpoint on ServiceNow does not expose a blog post or a product listing. It exposes the operational DNA of an enterprise — the records that describe how the organization runs its technology, manages its people, and responds to security incidents. For an attacker performing reconnaissance before a targeted attack, ServiceNow data is a treasure trove: it reveals the organization's technology stack, its patching cadence, its security tooling, its employee structure, and its incident response procedures.
The Configuration Complexity Problem
How does requires_authentication=false appear on a production API endpoint of a platform used by thousands of enterprises? The answer is configuration complexity. ServiceNow has thousands of configurable endpoints, scoping rules, access controls, and business rules. Each customer instance can customize these settings. The platform's power — its infinite configurability — is also its vulnerability. A single misconfigured flag in a sea of thousands of settings creates an exposure that no security review is likely to catch through manual inspection.
This is the enterprise platform paradox: the platforms trusted with the most sensitive enterprise data are also the most complex to configure correctly. ServiceNow, Salesforce, SAP, Oracle — each has thousands of configuration options that interact in non-obvious ways. A setting that is safe in isolation may create an exposure when combined with other settings. The bug bounty researcher found what ServiceNow's own security team, and the security teams of all its enterprise customers, did not: a production API endpoint that anyone could access without logging in.
The Web Infrastructure Lesson
Modern web frameworks prevent this vulnerability class by design. FastAPI requires explicit authentication decorators — an endpoint without an auth dependency is visually obvious in code review. Django REST Framework defaults to requiring authentication on all ViewSets. Next.js API routes require explicit middleware for public access. The 'secure by default' pattern means a developer must actively choose to make an endpoint public, rather than actively choosing to make it private.
ServiceNow's configuration model is the opposite: endpoints can be toggled between authenticated and unauthenticated through platform settings, separate from the code that implements the endpoint. The separation of access control from implementation creates a gap where security settings can drift without triggering code review, CI/CD checks, or automated security scanning. The 44-day gap between report and patch suggests that even identifying and fixing the misconfiguration required significant effort in a platform with that level of configuration complexity. The web infrastructure lesson: access control should live in code, not in configuration databases, and 'authenticated by default' should be the framework's starting position, not the developer's decision.


