A ClickUp vulnerability has exposed customer email addresses through a basic but critical security flaw. A researcher discovered that a hardcoded API key in a public JavaScript file allowed access to sensitive data without authentication.
The issue highlights how simple misconfigurations can create serious risks in widely used SaaS platforms.
Hardcoded API key enabled data access
The ClickUp vulnerability stems from an exposed API key embedded in client-side code. Using this key, the researcher retrieved 959 email addresses linked to users across various organizations.
The response also included internal feature flags. These flags reveal how the platform manages features, testing environments, and product behavior.
The flaw did not require advanced techniques. A single request was enough to extract the data.
No authentication required to exploit flaw
The ClickUp vulnerability required no login or special permissions. Anyone inspecting the platform’s frontend code could locate the API key and reuse it.
This type of exposure points to weak secret management practices. Sensitive credentials should never appear in publicly accessible code.
The ease of access significantly increases the risk of misuse.
Vulnerability remained unpatched for months
The ClickUp vulnerability was reportedly disclosed through a responsible disclosure program in early 2025. The researcher claims the issue remained unresolved for an extended period.
Delays like this increase the chance that other actors may discover and exploit the same flaw.
It also raises questions about how companies prioritize and handle reported vulnerabilities.
Potential for deeper security risks
The researcher also identified a second issue related to the ClickUp vulnerability. This flaw could allow users to interact with internal cloud infrastructure under certain conditions.
While the full impact remains unclear, such access could expose backend systems or expand the attack surface.
This suggests the problem may extend beyond simple data exposure.
Phishing risks increase after data exposure
The ClickUp vulnerability creates clear risks for affected users. Exposed email addresses can be used in targeted phishing campaigns.
Attackers may craft messages that appear legitimate by referencing real tools or workflows. This increases the chances of successful social engineering attacks.
Even limited data leaks can lead to larger security incidents.
Conclusion
The ClickUp vulnerability shows how a single exposed API key can lead to meaningful data exposure. The flaw did not rely on complex exploitation, yet it still impacted real users.
The incident highlights the need for stronger secret management and faster response times. As SaaS platforms continue to expand, basic security mistakes can have wide-reaching consequences.
0 responses to “ClickUp vulnerability exposes emails via API key flaw”