ClickUp’s Hardcoded API Key Exposes Sensitive Data of Fortune 500 Companies
A significant security lapse has been identified in ClickUp, a widely used productivity platform, where a hardcoded API key embedded in a publicly accessible JavaScript file has been leaking sensitive information. This vulnerability has exposed 959 corporate and government email addresses, including those of employees from major organizations such as Fortinet, Home Depot, Tenable, Mayo Clinic, and various U.S. state government agencies.
The issue was first reported in January 2025 by a security researcher who discovered the hardcoded API key within ClickUp’s homepage JavaScript code. By simply inspecting the page source, the researcher found the key and, through an unauthenticated GET request, accessed 959 email addresses and 3,165 internal feature flags without the need for credentials or sophisticated tools.
The leaked data encompasses a broad spectrum of the enterprise and government sectors, including employees from:
– Home Depot
– Fortinet
– Autodesk
– Tenable
– Rakuten
– Mayo Clinic
– Permira
– Law firm Akin Gump
– Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland (Australia), and New Zealand
– A Microsoft contractor
– 71 ClickUp employees
The exposure is particularly concerning given the nature of the affected organizations. For instance, Fortinet is a leading manufacturer of enterprise firewalls used globally to protect critical infrastructure, and Tenable develops Nessus, a widely deployed vulnerability scanner in the cybersecurity industry. The exposure of employee email addresses from these companies through ClickUp’s platform creates a direct avenue for targeted phishing, credential stuffing, and social engineering attacks against organizations responsible for safeguarding others.
In addition to email addresses, the leak included 3,165 internal feature flags, revealing internal product development signals, beta features, and A/B testing configurations. This information could be exploited for competitive intelligence or to facilitate targeted platform abuse.
Despite the initial report to ClickUp via HackerOne on January 17, 2025, the API key had not been rotated as of late April 2026, more than 15 months later. The researcher confirmed that the data was still accessible, having retrieved the full response shortly before making the disclosure public.
This situation underscores a critical oversight in ClickUp’s security practices. Hardcoded secrets in client-side JavaScript are a well-documented and preventable vulnerability in modern web development. Given ClickUp’s scale and the security expectations associated with its platform, this lapse is particularly troubling.
ClickUp has raised $535 million at a $4 billion valuation and claims that 85% of the Fortune 500 use its platform. As of the time of publication, ClickUp has not publicly acknowledged the ongoing exposure.
