"The exposure originated from ClickUp's web application, where a publicly accessible JavaScript file loaded before authentication contained a hard-coded third-party API key. This lack of access controls exposed a dataset containing 959 email addresses and 3,165 internal feature flags, affecting employees at large organizations and government entities across multiple regions."
"Beyond revealing personally identifiable information (PII), the feature flags provide insight into internal development processes such as beta features, A/B testing, and product roadmap signals. This information could be leveraged for targeted attacks, competitive intelligence, or platform abuse."
"Reported in January 2025 and still unresolved at the time of publication, the vulnerability has heightened the risk of targeted phishing, credential stuffing, and other social engineering attacks. Organizations should adopt a more proactive approach to SaaS security, particularly regarding credentials and API exposure."
A hardcoded API key on ClickUp's public website has exposed 959 corporate and government email addresses and 3,165 internal feature flags for over a year. The flaw originated from a publicly accessible JavaScript file that allowed unauthenticated access to sensitive data. This vulnerability, reported in early 2025 and still active in April 2026, poses risks of phishing and social engineering attacks. Organizations are urged to adopt proactive SaaS security measures to mitigate risks associated with API exposure and hardcoded credentials.
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]