I am using the ServiceNow dev instance devXXXXXX.service-now.com and recently encountered some concerning access control issues.
While testing, I noticed that even users without any roles assigned can access the Service Catalog and, unexpectedly, certain admin-level content, such as user information and other sensitive data typically restricted to Admins. Although these users cannot navigate to these items through the UI, they can still view them by directly entering URLs copied from an Admin session.
My questions are:
1) Is this behavior expected?
A) If so, why is such content accessible even without roles or permissions assigned?
2)If it’s not expected, could this be a potential security vulnerability?
I would appreciate any insights or guidance on this matter. Thank you in advance!
