A publicly accessible JavaScript file embedded in ClickUp’s homepage has been silently leaking nearly a thousand corporate and government email addresses for more than fifteen months — the result of a hardcoded third-party API key that was first reported to the company in January 2025 and, as of late April 2026, had still not been rotated. The exposure was discovered through straightforward inspection of ClickUp’s own homepage source code and requires no authentication, no credential theft, and no sophisticated tooling to exploit.
The Discovery
A security researcher visiting ClickUp’s public homepage noticed a JavaScript file that loads before any user authentication takes place. Inside the file sat a hardcoded API key belonging to a third-party service integrated into ClickUp’s frontend. Using the key required only a single unauthenticated GET request, which returned 959 email addresses and 3,165 internal feature flags belonging to ClickUp customers and employees.
The data required no bypass techniques — no CSRF exploitation, no token forgery, no brute-forcing. A basic HTTP request using the publicly visible key was sufficient to retrieve the full dataset.
Who Was Exposed
The leaked email addresses span an alarming cross-section of enterprise and government organizations. Among the confirmed affected parties are employees from:
- Fortinet, Tenable, Autodesk, Rakuten, and Home Depot
- Mayo Clinic and major financial institutions
- State government agencies in Wyoming, Arkansas, North Carolina, and Montana
- Government entities in Queensland (Australia) and New Zealand
- A Microsoft contractor and 71 ClickUp employees themselves
Beyond email addresses, the exposed feature flag data provides a window into ClickUp’s internal product roadmap, infrastructure configuration decisions, and customer-tier segmentation — information that could be valuable for competitive intelligence or targeted social engineering attacks.
The Timeline: 15 Months of Inaction
The vulnerability was responsibly disclosed to ClickUp through HackerOne on January 17, 2025. As of the researcher’s public disclosure in late April 2026, the API key had not been rotated and the endpoint remained accessible — a gap of more than 15 months between initial report and public awareness, with no apparent remediation in between.
This timeline is particularly striking given ClickUp’s security posture claims. The company holds SOC 2 Type 2 certification, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS compliance badges — standard enterprise compliance certifications that clearly failed to catch a hardcoded credential in a public JavaScript file.
Why This Is More Than a Simple API Key Exposure
On the surface, a leaked API key sounds like a minor misconfiguration. In this case, however, several factors elevate the risk:
- Scale of affected organizations: With ClickUp claiming that 85% of Fortune 500 companies use its platform, even a limited sample of email addresses extracted from a single frontend endpoint represents a meaningful data asset for threat actors engaged in credential stuffing, spear-phishing, or business email compromise campaigns.
- Government exposure: The presence of state and foreign government workers in the leaked set raises supply-chain and insider-risk concerns beyond typical SaaS data leaks.
- Feature flag leakage: Internal feature flags can reveal unannounced product capabilities, infrastructure choices, and experimental configurations — data that security-conscious organizations would typically classify as sensitive internal information.
- Zero-effort exploitation: The fact that exploitation requires only a standard HTTP GET request means the data could have been collected at any point over the 15-month exposure window by anyone who inspected ClickUp’s public JavaScript, including automated scrapers.
Recommendations
For organizations that use ClickUp, security teams should review email addresses associated with ClickUp accounts for potential targeting, be alert for spear-phishing attempts that reference ClickUp-specific context, and monitor for unusual access patterns in ClickUp tenants. More broadly, this incident highlights the need for automated secrets-scanning in frontend build pipelines and regular rotation of third-party API credentials embedded in client-side code — controls that compliance certifications do not automatically enforce.