CVE-2025-3648

A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.

CVSS

No CVSS.

References

Link	Resource
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2256712

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en Now Platform que podría provocar la inferencia de datos sin autorización. Bajo ciertas configuraciones de listas de control de acceso condicional (ACL), esta vulnerabilidad podría permitir que usuarios, tanto autenticados como no autenticados, utilicen solicitudes de consulta de rango para inferir datos de instancias a los que no deberían tener acceso. Para ayudar a los clientes a mejorar los controles de acceso, ServiceNow ha introducido marcos de control de acceso adicionales en Xanadu y Yokohama, como las ACL de consulta, los filtros de datos de seguridad y las ACL de denegación. Además, en mayo de 2025, ServiceNow entregó a sus clientes una actualización de seguridad diseñada para mejorar las configuraciones de las ACL. Consulten los artículos de la base de conocimientos en la sección de Referencias.

08 Jul 2025, 17:15

Type	Values Removed	Values Added
References		() https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494 - () https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2256712 -
Summary	(en) A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the following KB Articles for further guidance: * (Requires NowSupport login) https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494 * (Requires NowSupport login) https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2256712 * https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567	(en) A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.

08 Jul 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-08 16:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-3648

Mitre link : CVE-2025-3648

CVE.ORG link : CVE-2025-3648

JSON object : View

Products Affected

No product.

CWE

CWE-1220

Insufficient Granularity of Access Control

JSON object

Attach tags to CVE-2025-3648

Attach tags to `CVE-2025-3648`