ClickUp email exposure raises SaaS alarm

A hardcoded API key embedded in ClickUp’s public website exposed 959 corporate and government email addresses and more than 3,000 internal feature flags for over a year, intensifying scrutiny of security controls at widely used software-as-a-service platforms.

The exposure was tied to a production JavaScript bundle that loaded before authentication, allowing anyone inspecting the page source to extract a third-party SDK token and send an unauthenticated request to a backend service. The data returned reportedly included enterprise email addresses, internal targeting rules and configuration details linked to feature rollouts, billing experiments, AI pricing tiers, rate-limiting settings and infrastructure routing.

Security researcher Impulsive, known online as @weezerOSINT, said the issue was reported through HackerOne on January 17, 2025, but remained active in April 2026. “No account needed. No session needed at all, just view source and the SDK key is yours,” the researcher said while publishing redacted evidence of the exposure.

ClickUp, a San Diego-based productivity and project management platform, is used by businesses to manage tasks, documents, chat, dashboards, whiteboards and workflow automation. The company was valued at about $4 billion after a $400 million Series C funding round in 2021, bringing total funding to more than $535 million. Its customer base spans start-ups, large enterprises and public-sector users, making any exposure of corporate identifiers a potential entry point for targeted attacks.

The exposed email addresses reportedly included personnel from major companies such as Fortinet, Home Depot, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira and Akin Gump, along with government workers from several jurisdictions, including US states, Queensland in Australia and New Zealand. The dataset also included ClickUp employees and at least one Microsoft contractor, widening concern over how third-party SaaS ecosystems can create indirect risk for organisations that may not have suffered a direct breach of their own systems.

While email addresses alone are not equivalent to passwords or financial records, they can be valuable in phishing, credential stuffing and impersonation campaigns. The risk is higher when exposed addresses are associated with specific enterprise platforms, technical functions or organisations involved in cybersecurity, healthcare, law, retail, government and investment. Attackers can use such data to craft convincing messages that reference workplace tools, internal product features or vendor relationships.

The disclosure also highlighted a second layer of risk: internal feature flags. Feature flags are commonly used to control software rollouts, beta testing, pricing experiments and user segmentation. When exposed, they can reveal details about product development, customer targeting, infrastructure logic and experimental capabilities. Such information may support competitive intelligence, platform abuse or more precise reconnaissance by threat actors.

The reported weakness was not a complex intrusion but a failure of secret management and access control. API keys and SDK tokens embedded in client-side code are visible to users by design, and sensitive data should not be retrievable through public-facing requests without strict authorisation checks. Security teams typically mitigate this risk through key rotation, server-side proxying, least-privilege access, rate limits, monitoring and automated scanning for exposed credentials.

ClickUp publicly promotes compliance and security controls, including SOC 2, ISO certifications, PCI DSS compliance, third-party penetration testing and a bug bounty programme. The case underlines a central tension in enterprise software procurement: compliance attestations can indicate formal controls, but they do not guarantee that implementation mistakes will be caught quickly or remediated promptly.

The timeline has raised questions over vulnerability disclosure handling. A flaw said to have been reported in January 2025 and still accessible in April 2026 would represent a prolonged remediation gap, particularly for a platform used across large organisations. Delays in rotating exposed keys or restricting backend endpoints can turn a limited disclosure into a long-running data exposure window.

ClickUp had not issued a detailed public acknowledgement addressing the specific API-key claim at the time the matter drew wider attention. The absence of a clear incident notice leaves affected organisations with limited information on whether exposed addresses were accessed by anyone beyond the researcher, whether logs were reviewed, whether the key was rotated, and whether customers will receive direct notifications.