Known Issue: ServiceNow May 2025 Maintenance Query ACL Enforcement May Block Legitimate Access or Expose Sensitive Data

Status

Resolved — A hot fix is available for Serenity customers. Contact Serenity via our support portal or email [email protected] for additional details.

Summary

Serenity investigated the impacts of a platform-wide ServiceNow security patch released in May 2025 that affects query_match and query_range ACL enforcement. This update may block legitimate user access to data or reveal gaps in existing access controls.

Description

The May 2025 ServiceNow patch introduced stricter enforcement of query-level access control via query_range ACLs (e.g., CONTAINS, STARTSWITH, >=) and indirectly affected query_match ACLs (e.g., EQUALS, IN).

While the goal was to prevent unauthorized inference of sensitive data—such as guessing salaries by running filtered queries—the patch has also caused unintended side effects.

For example:

• Missing or incomplete ACL coverage can still allow inference of protected data via query_match.

• Users with the correct roles may now be blocked from querying for records they have read access to. Users will see an error message like:
  Part of the query on [table_name] has been ignored because of insufficient access for ‘query_range’ operation on [table_name.field_name]
  Example error message:

Scope of Impact

• This is not a Serenity-specific issue but does have potential impact to Serenity applications

• The issue affects all ServiceNow customers and applications. The exact impact will vary by customer depending upon platform version, level of direct customization, and volume of third-party store apps installed.

• Serenity scope ACLs saw a ~45–50% increase in several customer environments, total platform ACL increases vary (we’ve seen ~40-75% increases)

• Performance and manageability of ACLs may also be impacted. Volume of ACLs can cause performance issues, especially if the logic is scripted and/or complex.

Serenity Response

We have:

• Strengthened development standards to account for query-level ACL enforcement.

• Incorporated additional platform security features into our baseline security model.

We have developed a solution that will be part of our upcoming 8.4 baseline store releases. We have a hot fix available for customers that are on previous versions. Contact Serenity via our support portal or email [email protected] for additional hot fix availability and details.

Recommended Action to ServiceNow Platform Admins

• Review your instance ACL configuration, especially for sensitive or conditionally-secured fields.

• Refer to official ServiceNow documentation:

  • May 2025 Maintenance Information (KB2046494)

  • Troubleshooting query_range ACLs (KB2130442)

• Contact Serenity via our support portal or email [email protected] if you observe unexpected access behavior in your environment.