Unauthenticated API access in ServiceNow: what IAM teams missed

TL;DR: ServiceNow disclosed that KB3067321 involved an unauthenticated REST endpoint that could expose greater access than intended, with evidence of successful queries against instance tables for some customers, according to Unosecur. The incident shows how a single missing authentication check can bypass the access hierarchy and turn ticket data into an identity security problem, not just a platform vulnerability.

NHIMG editorial — based on content published by Unosecur: ServiceNow KB3067321 and the unauthenticated API flaw

Questions worth separating out

Q: What breaks when an API endpoint does not require authentication?

A: When an API endpoint does not require authentication, every control that depends on knowing the caller becomes unreliable.

Q: Why are service desks and tickets risky for NHI governance?

A: Service desks are risky because they often store secrets that still authenticate elsewhere, including API keys, passwords, tokens, and connection strings.

Q: How do security teams know whether a SaaS access event was read or exfiltration?

A: Teams need durable transaction logs, REST request metadata, and response-size visibility to tell the difference between a successful query and confirmed exfiltration.

Practitioner guidance

• Inventory credential-bearing workflow data Scan ITSM descriptions, work notes, and attachments for API keys, passwords, tokens, and connection strings, then classify those items as secrets rather than ordinary attachments.
• Audit authentication on every REST resource Enumerate custom and platform API endpoints, verify authentication requirements, and flag any unauthenticated read or create path as a governance defect.
• Preserve logs before patch windows close Export transaction and REST logs for the incident window, including request metadata and response sizes, so query activity can be distinguished from confirmed exfiltration.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Exact affected endpoint path and configuration change details behind the unauthenticated access issue
• Investigative steps for service desks, including the specific log filters and IP indicators used by administrators
• The incident timeline from disclosure to patching, including the customer-support bulletin timing
• Unosecur's product-specific response workflow for inventorying and rotating exposed non-human identities

👉 Read Unosecur's analysis of ServiceNow KB3067321 and unauthenticated API exposure →

Unauthenticated API access in ServiceNow: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →