In a significant cybersecurity lapse, ClickUp has unintentionally exposed nearly a thousand corporate and government email addresses via a publicly accessible JavaScript file. This incident involves a hardcoded third-party API key that was identified in January 2025 and remains unaddressed as of April 2026.
Email Exposure and Its Discovery
The vulnerability was discovered by a security researcher who inspected ClickUp’s homepage. The researcher found the hardcoded API key embedded in a JavaScript file loaded before user authentication. Using an unauthenticated GET request, the researcher accessed 959 email addresses and 3,165 internal feature flags without needing credentials or advanced tools.
These exposed emails include employees from major companies such as Home Depot, Fortinet, Autodesk, Tenable, and Mayo Clinic, as well as government workers from several U.S. states and international locations like Queensland and New Zealand.
Implications of the Data Leak
The exposure is particularly concerning due to the nature of the affected organizations. Fortinet and Tenable are key players in the cybersecurity industry, providing critical infrastructure protection and vulnerability scanning tools. The leak of their employees’ email addresses could facilitate phishing attacks and other social engineering tactics.
Beyond email addresses, the internal feature flags revealed through this API key offer insight into product development processes, beta features, and testing configurations. This information could be exploited for competitive intelligence or to manipulate the platform.
Response and Consequences
Despite being reported to ClickUp via HackerOne in early 2025, the API key had not been rotated over 15 months later. The researcher confirmed that the data was still accessible just before making the disclosure public.
This situation highlights a severe oversight in ClickUp’s security practices, especially given the company’s prominence and the scale of its operations. ClickUp has raised substantial venture capital and claims extensive use among Fortune 500 companies. Yet, it has not publicly addressed this ongoing security issue.
Hardcoded secrets in client-side JavaScript are well-documented vulnerabilities, making this oversight particularly inexcusable. As of now, ClickUp has not made any public statements regarding the exposure.
Stay updated on this and other cybersecurity developments by following us on Google News, LinkedIn, and X. Contact us to share your cybersecurity stories.
