ServiceNow — AI Platform RCE (CVE-2026-0542)
AI relevance: The bug impacts the ServiceNow AI Platform sandbox that executes AI workflows, so RCE inside the sandbox can compromise AI automation environments.
- ServiceNow disclosed CVE-2026-0542, a remote code execution issue in the ServiceNow AI Platform.
- The flaw allows an unauthenticated attacker to execute code in the platform’s sandbox under certain conditions.
- NVD lists the weakness as CWE-653: Improper Isolation or Compartmentalization.
- The CVSS v4 vector from the CNA indicates network reachability with no privileges or user interaction.
- ServiceNow deployed fixes to hosted instances and shipped updates for self-hosted customers and partners.
- ServiceNow reports no known exploitation as of disclosure.
Why it matters
- AI platform sandboxes are often trusted to run agent automations; RCE breaks that trust boundary.
- Unauthenticated reachability raises the risk for internet-exposed AI deployments.
What to do
- Apply the ServiceNow security updates for affected AI Platform deployments.
- Confirm sandbox boundaries with post-patch validation and isolation testing.
- Restrict access to AI Platform endpoints and audit exposed interfaces.