ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500

A hardcoded third-party API key, found in a publicly accessible JavaScript file on ClickUp’s homepage, has exposed nearly a thousand corporate and government email addresses. The vulnerability, which includes employees from Fortinet, Home Depot, Tenable, Mayo Clinic, and U.S. state government workers, was first reported in January 2025 but remains unrotated as of April 2026.

The exposure was uncovered by a security researcher who visited ClickUp’s homepage, inspected the page source, and found a hardcoded API key embedded directly in a JavaScript file, one that loads before any user authentication takes place.

A single unauthenticated GET request using the key returned 959 email addresses and 3,165 internal feature flags, requiring no credentials, no bypass, and no sophisticated tooling whatsoever.

The leaked data spans an alarming cross-section of the enterprise and government landscape: employees from Home Depot, Fortinet, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and law firm Akin Gump, alongside government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland (Australia), and New Zealand, plus a Microsoft contractor and 71 ClickUp employees.

Hardcoded API Key Exposed

The exposure carries particular weight, given who is affected. Fortinet manufactures enterprise firewalls used globally to defend critical infrastructure. Tenable builds Nessus, the vulnerability scanner deployed across a significant portion of the cybersecurity industry.

Having employee email addresses from these organizations exposed through a productivity platform’s sloppy secret management creates a direct attack surface for targeted phishing, credential stuffing, and social engineering campaigns against the very companies tasked with defending others.

The 3,165 internal feature flags leaked alongside the emails are equally concerning, revealing internal product development signals, beta features, and A/B testing configurations that could aid competitive intelligence or facilitate targeted platform abuse.

The vulnerability was first reported to ClickUp via HackerOne on January 17, 2025.

As of late April 2026, more than 15 months later, the API key had not been rotated. The researcher confirmed the data was still live, having pulled the full response minutes before the disclosure went public

This is not a zero-day. It is an unpatched known vulnerability sitting in production, quietly harvesting enterprise PII for over a year.

ClickUp has raised $535 million at a $4 billion valuation and publicly claims 85% of the Fortune 500 use its platform.

Hardcoded secrets in client-side JavaScript remain one of the most well-documented and preventable vulnerability classes in modern web development, making this lapse all the more difficult to justify at ClickUp’s scale and security posture expectations.

ClickUp has not publicly acknowledged the ongoing exposure at the time of publication.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.