Just in:
Trump scraps Hormuz levy but tightens Iran blockade // Gadkari’s Ethanol Defence Is Losing The Public Argument // Louis Vuitton Celebrates 130 Years of the Monogram // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // Rhenus to Further Strengthen Warehousing Solutions in the Philippines // EU prosecutors examine subsidies linked to Babiš // Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 // CyCraft Named a Sample Provider in the Gartner® Latest AI Reasoning Models Report—The Only Taiwan-Based Cybersecurity Provider Listed // Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // Fynd brings AI fashion platform to Gulf // Guardian Fire expands Midwest reach with Nebraska deal // Dubai-Botswana pact opens new commodity trade corridor // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // US missiles disable tanker bound for Iran // AI tools sharpen cybercrime as quishing surges // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // Rival cyber spies penetrate Pakistan police networks // Dubai weighs turning organic waste into aviation fuel //

ClickUp email exposure raises SaaS alarm

A hardcoded API key embedded in ClickUp’s public website exposed 959 corporate and government email addresses and more than 3,000 internal feature flags for over a year, intensifying scrutiny of security controls at widely used software-as-a-service platforms.

The exposure was tied to a production JavaScript bundle that loaded before authentication, allowing anyone inspecting the page source to extract a third-party SDK token and send an unauthenticated request to a backend service. The data returned reportedly included enterprise email addresses, internal targeting rules and configuration details linked to feature rollouts, billing experiments, AI pricing tiers, rate-limiting settings and infrastructure routing.

ADVERTISEMENT

Security researcher Impulsive, known online as @weezerOSINT, said the issue was reported through HackerOne on January 17, 2025, but remained active in April 2026. “No account needed. No session needed at all, just view source and the SDK key is yours,” the researcher said while publishing redacted evidence of the exposure.

ClickUp, a San Diego-based productivity and project management platform, is used by businesses to manage tasks, documents, chat, dashboards, whiteboards and workflow automation. The company was valued at about $4 billion after a $400 million Series C funding round in 2021, bringing total funding to more than $535 million. Its customer base spans start-ups, large enterprises and public-sector users, making any exposure of corporate identifiers a potential entry point for targeted attacks.

The exposed email addresses reportedly included personnel from major companies such as Fortinet, Home Depot, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira and Akin Gump, along with government workers from several jurisdictions, including US states, Queensland in Australia and New Zealand. The dataset also included ClickUp employees and at least one Microsoft contractor, widening concern over how third-party SaaS ecosystems can create indirect risk for organisations that may not have suffered a direct breach of their own systems.

While email addresses alone are not equivalent to passwords or financial records, they can be valuable in phishing, credential stuffing and impersonation campaigns. The risk is higher when exposed addresses are associated with specific enterprise platforms, technical functions or organisations involved in cybersecurity, healthcare, law, retail, government and investment. Attackers can use such data to craft convincing messages that reference workplace tools, internal product features or vendor relationships.

The disclosure also highlighted a second layer of risk: internal feature flags. Feature flags are commonly used to control software rollouts, beta testing, pricing experiments and user segmentation. When exposed, they can reveal details about product development, customer targeting, infrastructure logic and experimental capabilities. Such information may support competitive intelligence, platform abuse or more precise reconnaissance by threat actors.

The reported weakness was not a complex intrusion but a failure of secret management and access control. API keys and SDK tokens embedded in client-side code are visible to users by design, and sensitive data should not be retrievable through public-facing requests without strict authorisation checks. Security teams typically mitigate this risk through key rotation, server-side proxying, least-privilege access, rate limits, monitoring and automated scanning for exposed credentials.

ClickUp publicly promotes compliance and security controls, including SOC 2, ISO certifications, PCI DSS compliance, third-party penetration testing and a bug bounty programme. The case underlines a central tension in enterprise software procurement: compliance attestations can indicate formal controls, but they do not guarantee that implementation mistakes will be caught quickly or remediated promptly.

The timeline has raised questions over vulnerability disclosure handling. A flaw said to have been reported in January 2025 and still accessible in April 2026 would represent a prolonged remediation gap, particularly for a platform used across large organisations. Delays in rotating exposed keys or restricting backend endpoints can turn a limited disclosure into a long-running data exposure window.

ClickUp had not issued a detailed public acknowledgement addressing the specific API-key claim at the time the matter drew wider attention. The absence of a clear incident notice leaves affected organisations with limited information on whether exposed addresses were accessed by anyone beyond the researcher, whether logs were reviewed, whether the key was rotated, and whether customers will receive direct notifications.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // Rival cyber spies penetrate Pakistan police networks // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // Guardian Fire expands Midwest reach with Nebraska deal // EU prosecutors examine subsidies linked to Babiš // BlackRock Bitcoin fund assets approach $48 billion // Dealing.com claims record for tokenised stock access // Inflation In India Rising Sharply Since January 2026, Highest In June // Iran widens energy threat as Hormuz battle escalates // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // Dubai-Botswana pact opens new commodity trade corridor // Dubai weighs turning organic waste into aviation fuel // Gadkari’s Ethanol Defence Is Losing The Public Argument // Rhenus to Further Strengthen Warehousing Solutions in the Philippines // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // Louis Vuitton Celebrates 130 Years of the Monogram // De Beers halts Venetia output amid diamond slump // AI tools sharpen cybercrime as quishing surges // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities //