SNOW-28.6: addEncodedQuery Without User Context Restriction
๐ด High ยท ServiceNow ACL
Detects use of addEncodedQuery() in agent-facing scripts where addUserEncodedQuery() should be used. ServiceNow mandates addUserEncodedQuery() to restrict queried data to precisely what the active identity is authorized to view. Using addEncodedQuery() bypasses this restriction, potentially exposing data across all tenants and ACL boundaries.
Detailsโ
| Field | Value |
|---|---|
| Rule ID | SNOW-28.6 |
| Severity | High |
| Category | ServiceNow ACL |
| Platforms | servicenow |
| Compliance | SOC2_CC6, NIST_AI_RMF |
Remediationโ
Refer to the SquireX documentation for
remediation guidance specific to SNOW-28.6.