Dateline: April 28, 2026
A Researcher Found ClickUp’s Leaked Emails in One GET Request. That Was 15 Months Ago.
A $4 billion productivity platform used by 85% of the Fortune 500 has been quietly handing out enterprise email addresses to anyone willing to open a browser and copy a key. No hacking required.
What Happened?
Security researcher @weezerOSINT visited ClickUp’s homepage in January 2025, opened the page source, and found a hardcoded Split.io SDK token sitting in plain text inside ClickUp’s production JavaScript bundle. This is the file that loads before any login screen appears.
A single unauthenticated GET request using the key returned 959 email addresses and 3,165 internal feature flags, requiring no credentials, no bypass, and no sophisticated tooling whatsoever.
The data pulled from that one request reads like an enterprise directory: employees from Home Depot, Fortinet, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and law firm Akin Gump. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand. A Microsoft contractor. Seventy-one ClickUp employees.
The exposure gets worse on closer inspection. Among the leaked feature flags was one named enable-missing-authz-checks — active in production — which listed five ClickUp API endpoints that the company itself documented as lacking authorization controls. They documented their own gaps in a config file publicly readable from any browser.
At the time of initial disclosure, a second flag carried a live ClickUp API token tied to Fairfax County Public Schools — one of the largest school districts in the US, serving 180,000 students. That token pulled over 1,000 staff records. ClickUp removed that specific token after the report. The SDK key that exposed it was never rotated.
The original report was filed through HackerOne on January 17, 2025. As of late April 2026, more than 15 months later, the API key had not been rotated. The researcher confirmed the data was still live.
Meanwhile, a second vulnerability (a webhook API with zero SSRF protection) was reported to ClickUp via HackerOne on April 8, 2026. After 19 days, the status still reads “New.”
When the story went public, ClickUp CEO Zeb Evans (@DJ_CURFEW) broke his silence on X, acknowledging the issue. The post came 465 days after the original disclosure — only after the story started spreading publicly.
What’s the Impact?
The exposure carries particular weight given who is affected. Fortinet manufactures enterprise firewalls used globally to defend critical infrastructure. Tenable builds Nessus, the vulnerability scanner deployed across a significant portion of the cybersecurity industry. Having employee email addresses from these organizations exposed through a productivity platform’s sloppy secret management creates a direct attack surface for targeted phishing, credential stuffing, and social engineering campaigns against the very companies tasked with defending others.
For ClickUp, the credibility hit is compounding. The company holds SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certifications. It is eyeing an IPO path. CEO Zeb Evans publicly framed a possible public offering “within two years” — a timeline that now sits awkwardly next to a 15-month-old unpatched vulnerability and a second report going unanswered.
How to Avoid This
This class of vulnerability is not obscure. Hardcoded secrets in client-side JavaScript are among the most documented, most preventable problems in modern web development. A few practices would have stopped this entirely:
Secrets scanning tools like GitGuardian, Trufflehog, or GitHub’s own native scanning catch hardcoded tokens before they ever reach production. Third-party SDK keys, particularly those tied to feature management platforms like Split.io, should rotate on a schedule and should never be embedded in public-facing bundles. Security teams should run regular audits of what loads before authentication — anything in that bundle is visible to the entire internet.
The fix in this specific case? One click in the Split.io dashboard. Roughly 90 seconds of work. ClickUp has had 465 days.
