ClickUp Confronts Security Flaw After 893 Customer Email Addresses and Live API Token Exposed
On April 27, 2026, a security researcher publicly disclosed a significant vulnerability within ClickUp’s feature flag configuration system. This incident revealed that 893 customer email addresses were inadvertently exposed due to a misconfiguration that had gone unnoticed by ClickUp’s engineering review process for several months. The email addresses were embedded directly in feature flag targeting rules, making them accessible to anyone with the platform’s public client-side SDK key.
In response to the disclosure, ClickUp issued an incident report the following day, acknowledging the severity of the situation. The company stated, “We should have caught this sooner. We didn’t.”
Nature of the Exposure
The incident involved two primary issues within ClickUp’s feature flag management system. The first concern was the exposure of 893 customer email addresses, which were included in flag targeting rules to determine which users received specific features during staged rollouts.
The Split.io SDK, utilized by ClickUp, features a publicly queryable endpoint known as splitChanges, which returns the complete set of flag definitions, including targeting rules. This endpoint is accessible to anyone possessing the client-side SDK key, which is intentionally embedded in ClickUp’s frontend JavaScript bundle. This design is standard across platforms like Split.io and LaunchDarkly, making the email addresses accessible without any authentication to those who knew where to look.
No sensitive workspace content, passwords, billing data, or account credentials were exposed for any of the affected customers, with one exception noted by the company.
The second, more critical issue involved a live customer API token that had been embedded in a rate-limiting flag configuration. An engineer, responding to API abuse, had placed the token directly inside the flag configuration to manage traffic from that workspace. This decision rendered the token retrievable through the same SDK endpoint.
The API token was added on October 7, 2025, and remained in the flag configuration until ClickUp invalidated it shortly after the public disclosure. Investigations revealed no signs of malicious access beyond the researcher’s own inquiry. ClickUp confirmed it is actively working with the affected customer.
By April 29, 2026, all 893 email addresses had been removed from flag configurations.
Technical Root Cause
The misconfiguration stemmed from architectural decisions rather than conventional exploitation. ClickUp employs Split.io for feature flag management, which necessitates a public-facing key embedded in the application bundle. This key is essential for evaluating flags for users in the browser and is standard practice across the industry. The public nature of the key does not constitute a vulnerability.
The exposure arose from the specific data ClickUp’s engineers included in the flag configurations. Flag targeting rules allow for precise control over which users receive specific features, using identifiers such as email addresses or user IDs. ClickUp’s teams had directly used customer email addresses in these rules for beta rollouts. Since the splitChanges endpoint returns the full flag definitions, including targeting rules, and the client-side key is always accessible in the frontend JavaScript, those email addresses became queryable by design.
The company acknowledged that its engineers treated flag configurations as internal tools, despite the SDK architecture making them publicly queryable. Although flag updates required peer review—a process similar to code review—this step failed to identify the accumulation of personally identifiable information (PII) in targeting rules.
Disclosure Timeline
ClickUp’s blog provides a detailed timeline addressing claims circulating in public reporting that suggested the vulnerability remained unaddressed for 15 months following an initial disclosure in January 2025. ClickUp disputes this characterization, clarifying the timeline of events.
On January 17, 2025, a researcher reported the Split.io SDK key disclosure to ClickUp’s bug bounty program, then hosted on BugCrowd. Both ClickUp and BugCrowd classified this report as informational, as the client-side SDK key alone does not represent a vulnerability. This classification was deemed correct, as the email addresses embedded in the flag configurations were not mentioned in the original report.
ClickUp transitioned its bug bounty program from BugCrowd to HackerOne on June 3, 2025, carrying over all past reports. On April 8, 2026, the researcher submitted a new, detailed report on HackerOne, documenting the expanded implications of the 893 customer email addresses and the embedded API token. ClickUp stated it was unaware of the email address exposure until April 27, the day of the public disclosure. The company emphasized that the flag configurations were not part of the original 2025 report, arguing that the “15 months” narrative conflates two separate reports concerning different findings.
Remedial Actions Taken by ClickUp
In the immediate aftermath of the incident, ClickUp outlined four key remediation steps. All customer email addresses were purged from flag targeting rules and replaced with internal user identifiers that do not contain PII. The company has implemented automated tools to detect email addresses and credential patterns in flag configurations before they can be saved. A secrets scanning step has been integrated into the flag configuration deployment pipeline. Additionally, the engineering team has updated its internal guidelines regarding what data is permissible within flag targeting rules.
The peer review process that existed prior to the incident—a required +1 approval on all flag changes—remains intact but did not catch this specific type of misconfiguration. The newly implemented automated tools aim to address this gap at the system level, reducing reliance on manual reviews.
Customers whose email addresses were among the 893 affected were notified directly by ClickUp on or before April 29, 2026. Those who did not receive direct communication were not included in the exposed list.
For further details, please refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
