Skip to main content

ServiceNow AI Platform CVE-2026-6875

CRITICAL
Code Injection (CWE-94)
2026-07-13 SN
9.5
CVSS 4.0 · Vendor: SN
Share

Severity by source

Vendor (SN) PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.0 CRITICAL

Unauthenticated network RCE (AV:N/PR:N/UI:N) with attacker-uncontrollable preconditions (AC:H) and impact beyond the vulnerable component (S:C), full C/I/A loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (SN).

CVSS VectorVendor: SN

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 19:28 vuln.today
CVE Published
Jul 13, 2026 - 18:17 cve.org
CRITICAL 9.5

DescriptionCVE.org

ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow platform.

ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates have also been provided to ServiceNow self-hosted customers and partners.

Further, the vulnerability is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners. We are not currently aware of exploitation against ServiceNow instances.

We recommend customers promptly apply appropriate updates or upgrade to a patched release if they have not already done so.

AnalysisAI

Remote code execution in the ServiceNow AI Platform allows an unauthenticated attacker, under certain (unspecified) circumstances, to execute arbitrary code within the ServiceNow platform, carrying a critical CVSS 4.0 base score of 9.5. ServiceNow has patched hosted instances directly and issued fixes to self-hosted customers and partners; there is no public exploit identified at time of analysis, and the vendor states it is not currently aware of exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed ServiceNow AI Platform endpoint
Delivery
Craft malicious unauthenticated request
Exploit
Satisfy required instance circumstance
Execution
Trigger code execution in platform
Impact
Compromise platform and connected systems

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to a ServiceNow AI Platform instance and, per the vendor, only succeeds 'in certain circumstances' - the CVSS AC:H metric confirms attacker-uncontrollable preconditions must be met, though the description does not name the exact feature, configuration flag, or instance state that enables it (this specific prerequisite is UNKNOWN from the available data and should be confirmed via KB3137947). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly aligned toward high priority but with one important nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a vulnerable self-hosted ServiceNow AI Platform instance over the network sends a specially crafted request to an AI-platform handler that, under the right instance state or configuration, triggers server-side code execution without any authentication. Because the impact spans the vulnerable and subsequent systems, successful exploitation could lead to full compromise of platform data and workflows. …
Remediation Patch available per vendor advisory: ServiceNow has already deployed the security update to hosted instances (no customer action required for those), and self-hosted customers and partners must apply the relevant patch or upgrade to a fixed family release as listed in KB3137947 - the exact fixed version strings are not provided in this input and should be taken directly from that advisory rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Contact ServiceNow support to confirm patch availability for your deployment model (hosted, self-hosted, or partner-managed) and current platform version. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy