CVE-2025-3089 MEDIUM

CVE-2025-3089: Broken Access Control in ServiceNow AI Platform

Vendor Servicenow
Product ServiceNow AI Platform
Weakness CWE-639 · IDOR
Published August 12, 2025
Last update August 12, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications. This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners.

Key dates

02Disclosure timeline

August 12, 2025 CVE published
August 12, 2025 Record updated

Related vulnerabilities

04Related CVE