ServiceNow AI Platform Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the ServiceNow AI Platform. This vulnerability allows an unauthenticated user to impersonate another user and access the operations that the impersonated user is authorized to perform. ServiceNow addressed this vulnerability in October 2025 by deploying a security update to most hosted instances. Security updates were also provided to self-hosted customers and partners. The vulnerability is also addressed in specific Store App versions.

Impact

Exploitation of this vulnerability could lead to unauthorized user impersonation, allowing an attacker to perform actions on behalf of another user.

Remediation

Customers are advised to apply the security update or upgrade to a version where this vulnerability has been addressed. For those using the Now Assist AI Agents application, versions 5.1.18 or 5.2.19 or later should be used. Users of the Virtual Agent API should upgrade to version 3.15.2 or 4.0.4 or later.