A publicly accessible JavaScript file embedded on ClickUp’s homepage has been silently leaking nearly 1,000 corporate and government email addresses for over 15 months through a hardcoded third-party API key that remains unrotated as of late April 2026, despite being reported to the company in January 2025.
The exposure was identified by a security researcher who, without authentication, inspected the source code of ClickUp’s homepage and discovered the API key hardcoded directly in a JavaScript file loaded before any user login.
A single unauthenticated GET request using the key returned 959 email addresses and 3,165 internal feature flags, requiring no credentials, no exploit chain, and no sophisticated tooling.
The leaked dataset spans a deeply concerning cross-section of enterprise and government organizations.
Hardcoded API Key Exposes 959 Emails
Affected employees include individuals from Fortinet, Home Depot, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and law firm Akin Gump, as well as government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland (Australia), and New Zealand. A Microsoft contractor and 71 ClickUp employees are also among those exposed.
The severity of the exposure is amplified by who appears on the list. Fortinet manufactures enterprise firewalls deployed globally across critical infrastructure. Tenable develops Nessus, the vulnerability scanner used by a significant portion of the cybersecurity industry.
Exposing employee email addresses from these organizations through a productivity platform’s misconfigured secrets management creates a direct attack surface for targeted phishing, credential stuffing, and social engineering campaigns against the very companies responsible for defending others.
Beyond email addresses, the 3,165 internal feature flags leaked alongside the PII present a secondary threat vector.
These flags expose internal product development signals, beta feature configurations, and A/B testing parameters, potentially enabling malicious actors with knowledge of ClickUp’s internal architecture to gather competitive intelligence or target platform abuse.
The vulnerability was formally reported to ClickUp through HackerOne on January 17, 2025. As of late April 2026, more than 15 months after the API key was last rotated, the API key had not been rotated.
The researcher confirmed the data remained live, having pulled the full API response minutes before the disclosure went public.
This is not a zero-day exploit. It is a known vulnerability sitting in production, unaddressed, quietly exposing enterprise PII across one of the world’s most widely deployed project management platforms.
ClickUp has raised $535 million at a $4 billion valuation and publicly claims 85% of the Fortune 500 use its platform.
Hardcoded secrets in client-side JavaScript represent one of the most thoroughly documented and preventable vulnerability classes in modern web application development.
Industry-standard secret scanning tools, pre-deployment security reviews, and basic secure development lifecycle (SDL) practices would have caught and remediated this before it ever reached production.
No Comment! Be the first one.