In the high-growth world of SaaS, “moving fast” often comes at the expense of “moving securely.” On April 26, 2026, a security disclosure revealed that ClickUp—the $4 billion productivity giant—has been silently leaking sensitive enterprise and government data for over 15 months.
The cause? One of the most elementary errors in web development: a hardcoded third-party API key embedded in a publicly accessible JavaScript file on the ClickUp homepage. While ClickUp claims that 85% of the Fortune 500 rely on its “One app to replace them all,” this incident proves that even the most valued platforms can fail at basic secret management.
The Leak: 959 Emails and 3,165 Internal Flags
The vulnerability was first reported to ClickUp via HackerOne on January 17, 2025. However, as of late April 2026, the key remained unrotated and active in production.
By simply inspecting the page source—an action requiring no specialized hacking tools—a researcher discovered the key loading before any user authentication took place. A single unauthenticated GET request returned a JSON payload containing:
- 959 Corporate & Government Emails: Direct addresses for employees at high-value targets.
- 3,165 Internal Feature Flags: A roadmap of ClickUp’s internal development, beta features, and A/B tests.
A Who’s Who of Exposed Targets
The leaked emails represent a cross-section of global infrastructure and security leadership:
- Cybersecurity Giants: Fortinet and Tenable.
- Retail & Enterprise: Home Depot, Autodesk, and Rakuten.
- Healthcare & Legal: Mayo Clinic and Akin Gump.
- Governments: State employees from Wyoming, Arkansas, North Carolina, and Montana, plus officials from Australia and New Zealand.
Why This Matters: The Phishing Perimeter
The exposure of employee emails from companies like Fortinet (firewall manufacturers) and Tenable (creators of Nessus) is particularly alarming. These organizations are the bedrock of global cybersecurity.
By harvesting these emails, threat actors don’t just get a list of names; they get a pre-validated target list for:
- Precision Phishing: Crafting emails that appear to come from ClickUp regarding “internal project updates” to steal corporate credentials.
- Social Engineering: Using the leaked “feature flags” to sound like an internal developer when calling a help desk.
- Credential Stuffing: Attempting to use these emails with common passwords against other corporate portals.
[Image showing a code snippet of hardcoded API keys in a JavaScript file, highlighting the lack of obfuscation]
The Persistent Failure: 15 Months of Inaction
What makes this incident “difficult to justify,” according to security analysts, is the timeline.
- January 2025: Initial report submitted via HackerOne.
- 2025–2026: Multiple follow-ups by researchers indicating the data was still live.
- April 2026: The full disclosure goes public after the key remained unrotated for over 450 days.
Hardcoded secrets in client-side code are a “solved” problem in modern DevOps. Tools like GitHub Secret Scanning, TruffleHog, and GitGuardian are designed specifically to catch these leaks before they reach production. The fact that this key survived in a high-traffic environment suggests a breakdown in ClickUp’s automated security auditing.
Impact Analysis: The Feature Flag Risk
While the emails are the primary privacy concern, the 3,165 internal feature flags provide a goldmine for competitive intelligence. Feature flags reveal:
- Which features are being tested for “Enterprise” vs. “Free” tiers.
- Unreleased integrations with other platforms.
- The internal naming conventions and architectural logic of the ClickUp platform.
For a competitor or a sophisticated threat actor, this data provides a blueprint of the platform’s “under-the-hood” mechanics, allowing them to look for vulnerabilities in unreleased code before it even hits the general public.
Expert Recommendations: Auditing Your SaaS Footprint
If your organization uses ClickUp, you should assume that any email address associated with the account is now in a “high-risk” category for targeted attacks.
- Mandatory MFA: Ensure that Multi-Factor Authentication (MPath/FIDO2) is strictly enforced for all ClickUp users, especially those at the admin level.
- Reset “Vibe” Credentials: If your teams use similar passwords across platforms, initiate a proactive password reset for all exposed users.
- Secret Management Audit: Use this as a case study to audit your own internal web applications. Ensure that API keys for services like LaunchDarkly, Stripe, or AWS are never stored in client-side JavaScript.
- Phishing Simulations: Run a simulation targeting your team with a “ClickUp-themed” lure to gauge awareness and susceptibility.
FAQs
1. Was my ClickUp vault or data breached?
No. This was a leak of metadata and user identifiers (emails) via a third-party API key, not a direct breach of the ClickUp database or user workspaces.
2. How did the researcher find the key?
It was visible in the “Sources” tab of the Chrome Developer Tools on the ClickUp homepage. No “hacking” or bypass was required; it was served to every visitor by default.
3. Which government agencies were affected?
Records were found for government workers in Wyoming, Arkansas, North Carolina, and Montana, as well as Queensland (Australia) and New Zealand.
4. Has ClickUp responded?
As of late April 2026, ClickUp has not issued a formal public acknowledgment of why the key remained unrotated for 15 months following the initial report.
Conclusion: Security is a Continuous Process
The ClickUp exposure is a sobering reminder that a $4 billion valuation does not guarantee 100% security hygiene. When “sloppy secret management” involves the emails of the world’s leading cybersecurity firms and government agencies, the ripple effects can be felt across the entire global supply chain.
Action Item: Check the list of exposed domains. If your company is on it, heighten your email security filters for “ClickUp” impersonations immediately.
