ServiceNow AI Platform Broken Access Control (CVE-2025-3089)
CVE-2025-3089 Published on August 12, 2025
Broken Access Control in ServiceNow AI Platform
ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications. This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2025-3089 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Affected Versions
ServiceNow AI Platform:- Version Aspen and below Washington DC Patch 10 Hot Fix 2a is affected.
- Version Aspen and below Xanadu Patch 7a is affected.
- Version Aspen and below Xanadu Patch 8 is affected.
- Version Aspen and below Yokohama Patch 1a is affected.
- Version Aspen and below Yokohama Patch 2 is affected.
- Version Aspen and below Zurich (EA) is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.