ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants

HomeCyber Security ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants By Guru Baran April 27, 2026 A publicly accessible JavaScript file on ClickUp’s homepage has been silently leaking nearly a thousand corporate and government email addresses, including employees from Fortinet, Home Depot, Tenable, Mayo Clinic, and U.S. state government workers, through a hardcoded third-party API key that was first reported in January 2025 and remains unrotated as of April 2026. The exposure was uncovered by a security researcher who visited ClickUp’s homepage, inspected the page source, and found a hardcoded API key embedded directly in a JavaScript file, one that loads before any user authentication takes place. A single unauthenticated GET request using the key returned 959 email addresses and 3,165 internal feature flags, requiring no credentials, no bypass, and no sophisticated tooling whatsoever. I WENT TO HTTPS://T.CO/GYTMJD81A6. OPENED THE PAGE SOURCE. FOUND A HARDCODED API KEY IN THE JAVASCRIPT. COPIED IT. SENT ONE GET REQUEST. GOT BACK 959 EMAIL ADDRESSES AND 3,165 INTERNAL FEATURE FLAGS. EMPLOYEES FROM HOME DEPOT. FORTINET. AUTODESK. TENABLE. RAKUTEN. MAYO CLINIC.… PIC.TWITTER.COM/C0SS5T6AT1 — impulsive (@weezerOSINT) April 27, 2026 The leaked data spans an alarming cross-section of the enterprise and government landscape: employees from Home Depot, Fortinet, Autodesk, Tenable, Rakuten, Mayo Clinic, Permira, and law firm Akin Gump, alongside government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland (Australia), and New Zealand, plus a Microsoft contractor and 71 ClickUp employees. Hardcoded API Key Exposed The exposure carries particular weight, given who is affected. Fortinet manufactures enterprise firewalls used globally to defend critical infrastructure. Tenable builds Nessus, the vulnerability scanner deployed across a significant portion of the cybersecurity industry. Having employee email addresses from these organizations exposed through a productivity platform’s sloppy secret management creates a direct attack surface for targeted phishing, credential stuffing, and social engineering campaigns against the very companies tasked with defending others. The 3,165 internal feature flags leaked alongside the emails are equally concerning, revealing internal product development signals, beta features, and A/B testing configurations that could aid competitive intelligence or facilitate targeted platform abuse. The vulnerability was first reported to ClickUp via HackerOne on January 17, 2025. As of late April 2026, more than 15 months later, the API key had not been rotated. The researcher confirmed the data was still live, having pulled the full response minutes before the disclosure went public This is not a zero-day. It is an unpatched known vulnerability sitting in production, quietly harvesting enterprise PII for over a year. ClickUp has raised $535 million at a $4 billion valuation and publicly claims 85% of the Fortune 500 use its platform. Hardcoded secrets in client-side JavaScript remain one of the most well-documented and preventable vulnerability classes in modern web development, making this lapse all the more difficult to justify at ClickUp’s scale and security posture expectations. ClickUp has not publicly acknowledged the ongoing exposure at the time of publication. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Notepad++ Vulnerability Allows Attackers to Crash Application, Leak Memory Data CrowdStrike LogScale Vulnerability Allows Remote Attackers to Read Arbitrary Files from Server Top 10 Best NDR (Network Detection and Response) Solutions in 2026 12 Browser Extensions Mimic as TikTok Video Downloaders Compromised 130k Users The Phishing Defense Layer Top CISOs Never Miss  Latest News Cyber Security News Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks Cyber Security News New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials Cyber Security News New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection Uncategorized Hackers Using Fake Income Tax Department’s Notice to Deploy Malware Cyber Security News Researchers Warn macOS textutil and KeePassXC Can Become Attack Primitives in Automation