ServiceNow left an API endpoint unauthenticated for 44 days. It runs IT for the federal government.

ServiceNow disclosed on June 9 that an unauthenticated API endpoint was letting anyone query customer instance data. No credentials. No API key. No session cookie.

The endpoint `/api/now/related_list_edit/create` had `requires_authentication=false`. One flag. Set wrong.

Here's the part that should make every CISO lose sleep.

A researcher reported this through ServiceNow's bug bounty program on April 22. The patch didn't ship until June 5. That's 44 days where a known unauthenticated access flaw sat in production on the platform that runs help desks, change management, HR delivery, and asset inventory for the bulk of the U.S. federal government and 85% of the Fortune 500.

ServiceNow says the activity was "likely tied to security researchers." That framing appeared only after BleepingComputer published the story. The original June 9 bulletin told admins to treat it as an incident.

No CVE has been assigned. CISA's KEV catalog hasn't flagged it. That means no binding operational directive, no patch-by date, no reporting requirement for federal agencies.

The fix was one config flip. The delay was the scandal.

Audit your ServiceNow instance today. Check API logs for requests to that endpoint from May 1 through June 5. Rotate every credential that ever touched a support ticket. Treat the "researchers only" explanation as a best case, not a conclusion.