A security researcher claims to have obtained the email addresses of 959 of the project management platform ClickUp’s customers, including employees from Fortune 500 companies and government agencies. All it reportedly took was sending a single HTTP GET request to exploit a hardcoded API key. ClickUp acknowledged the incident and said that 893 emails are affected.
A security researcher who goes by the alias Impulsive (@weezerOSINT) on X complained that ClickUp hasn’t fixed a vulnerability first reported via HackerOne on January 17th, 2025, well over a year ago.
“Found a hardcoded API key in the JavaScript. Copied it. Sent one GET request. Got back 959 email addresses and 3,165 internal feature flags,” the researcher’s post reads.
The researcher claims that one of ClickUp’s production endpoints has a hardcoded Split.io SDK token. Split.io is a feature delivery platform for app features control, rollout, A/B testing, and more.
“No account needed. No session needed at all, just view source and the SDK key is yours,” the researcher claims.
The researcher shared redacted screenshots of the leaking data and claims that some exposed employees are from major companies, including Home Depot, Fortinet, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and Akin Gump.
The leaking emails include government workers and ClickUp’s own employees.
“One request to split.ios API returns 4.5MB of ClickUp’s internal configuration. Every feature flag, every targeting rule, every email in every whitelist. Billing experiments, churn prevention offers, AI pricing tiers, rate limiter IP whitelists, infrastructure routing,” the researcher’s post reads.
The researcher also claims to have directly emailed the company’s CEO and sent direct messages on X, to no avail.
Cybernews found that the hardcoded authorization key was present in the JS bundle for the specified endpoint, but didn’t test whether it was active or functional. We have reached out to ClickUp for comment – we’ll update this story with its response.
A second critical vulnerability allegedly allows scanning ClickUp’s entire AWS infrastructure using a free account.
“Reported April 8th through HackerOne. Provided port scans, http://webhook.site captures with ClickUp's own source IPs, redirect chains to IMDS and Redis, and every non-HTTP protocol confirmed,” the researcher complains.
The researcher noted that ClickUp is certified under numerous cybersecurity compliance standards, such as SOC 2 Type 2, ISO 27001, and PCI DSS, but that these certifications do not prevent major flaws.
“They accept vulnerability reports through HackerOne, pay nothing, and let confirmed issues sit for over a year while customer PII stays exposed,” one of the researcher’s posts reads.
ClickUp acknowledged it’s on them
ClickUp acknowledged the exposure and confirmed that it was limited to 893 customer email addresses.
“We should have caught this sooner. We didn’t, and we owe you a clear explanation of what happened, why, and what we’ve done about it now and how we’re improving moving forward, the company said in a blog post, detailing the incident.
ClickUp assures that no workspace content, passwords, billing, or other sensitive information was exposed, and that no authentication systems were compromised. The company is directly communicating with affected users.
The advisory explains that the exposed key itself is not an issue.
“Split.io requires a client-side SDK key embedded in the application’s JavaScript bundle. This key is intentionally public, and it’s how the SDK evaluates flags for the current user in the browser. This is standard, documented behavior across Split.io, LaunchDarkly, and similar platforms, and it is not a vulnerability,” the company explains.
Check if your data has been leaked
The real issue is that ClickUp engineers put the data inside the flag configurations – used email addresses directly in flag targeting rules.
“Anyone with the client-side key (which, again, is intentionally in our frontend code) could retrieve those flag definitions and extract the email addresses embedded in them,” the company said.
ClickUp audited all feature flags, removed exposed email addresses, and also disabled one exposed customer’s API token.
Why wasn't the incident remediated 15 months ago when it was first reported?
“The original January 17th, 2025 bug bounty report about the SDK key did not result in an engineering task, as the key alone is not the vulnerability. The email addresses and flag configurations were the actual issue and not included in this original report,” the company explained.
The subsequent researcher’s reports were incorrectly closed as duplicates, while emails were caught by spam filters and didn’t reach the intended recipients. After public disclosure on X, ClickUp became aware of the incident and declared it.
ClickUp also said it is rewarding the researcher with a bug bounty for their findings.
“We greatly apologize that this happened, and we’ll do everything in our power to ensure something like this cannot happen again.”
Updated on April 29th [09:00 a.m. GMT] with a statement from ClickUp.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked