In a concerning cybersecurity lapse, ClickUp has inadvertently exposed nearly 1,000 corporate and government email addresses through a hardcoded API key embedded in a publicly accessible JavaScript file on its homepage. Notably, this vulnerability, first reported in January 2025, remains unresolved as of April 2026, raising serious concerns about prolonged data exposure and weak secret management practices.
According to findings shared by a security researcher, the issue came to light when they simply visited ClickUp’s homepage and inspected its page source. During this process, they discovered a hardcoded third-party API key embedded directly in a JavaScript file that loads even before user authentication occurs. Consequently, this meant that anyone with basic technical knowledge could access sensitive data without needing credentials or advanced tools.
More alarmingly, a single unauthenticated GET request using the exposed API key returned 959 email addresses along with 3,165 internal feature flags. This data required no bypass mechanisms or exploitation techniques, highlighting the severity and simplicity of the flaw.
The leaked information spans a wide range of high-profile organizations. Employees from companies such as Fortinet, Home Depot, Autodesk, Tenable, Rakuten, and Mayo Clinic were among those affected. Additionally, the dataset included personnel from global investment firm Permira and law firm Akin Gump. Furthermore, government workers from multiple regions—including U.S. states like Wyoming, Arkansas, North Carolina, and Montana, as well as Queensland in Australia and New Zealand—were also impacted. The exposure even extended to a Microsoft contractor and 71 ClickUp employees.
Given the profile of the affected organizations, the implications are particularly serious. For instance, Fortinet develops enterprise firewalls that protect critical infrastructure worldwide, while Tenable is known for its widely used Nessus vulnerability scanner. Therefore, exposing employee email addresses from such organizations creates a direct pathway for phishing campaigns, credential stuffing attacks, and social engineering attempts targeting cybersecurity professionals themselves.
In addition to email addresses, the leak also revealed thousands of internal feature flags. These flags provide insights into product development, beta testing, and A/B configurations. As a result, attackers or competitors could potentially leverage this information for targeted platform abuse or competitive intelligence gathering.
The vulnerability was initially reported to ClickUp through HackerOne on January 17, 2025. However, despite responsible disclosure, the API key remained active for over 15 months. The researcher confirmed that the data was still accessible shortly before the public disclosure, emphasizing that this is not a newly discovered flaw but rather a long-standing, unpatched vulnerability.
“This is not a zero-day. It is an unpatched known vulnerability sitting in production, quietly harvesting enterprise PII for over a year.”
ClickUp, which has raised $535 million and holds a valuation of $4 billion, claims that 85% of Fortune 500 companies use its platform. Consequently, this incident raises questions about its security posture and internal controls. Hardcoded secrets in client-side JavaScript are widely recognized as preventable vulnerabilities, making this oversight particularly difficult to justify at such scale.
As of now, ClickUp has not publicly acknowledged the issue, leaving enterprises and government entities exposed to ongoing risks.
Recommended Cyber Technology News:
- Kaspersky Reveals Qualcomm Chip Vulnerability Risking Device Control
- OmniTrust Expands AutoAuth With Certified Programs
- ArmorText Introduces Field Notes to Drive Cybersecurity Collaboration
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
