ServiceNow Now Platform Data Inference Vulnerability via Conditional ACLs

A vulnerability exists in the Now Platform that may allow unauthorized data inference. This issue arises under specific conditional access control list (ACL) configurations, enabling both unauthenticated and authenticated users to use range query requests to access instance data that should remain restricted. To help customers improve access controls, ServiceNow has implemented new frameworks in the Xanadu and Yokohama releases, including Query ACLs, Security Data Filters, and Deny-Unless ACLs. Furthermore, a security update was provided in May 2025 to enhance customer ACL configurations. For additional guidance, customers can refer to the Knowledge Base Articles KB2046494 and KB2256712.

Impact

Exploitation of this vulnerability could lead to unauthorized data inference, allowing users to access restricted instance data through range query requests.

Remediation

ServiceNow has released a security update in May 2025 to improve ACL configurations. Customers should review the KB Articles KB2046494 and KB2256712 for further guidance.