ClickUp Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants

ClickUp, a widely used productivity and project management platform, is facing serious security concerns after a hardcoded API key exposed sensitive data linked to major enterprises and government entities.

A security researcher known as @weezerOSINT discovered that ClickUp had embedded a Split.io SDK token directly inside its production JavaScript bundle.

This script automatically loads whenever users access ClickUp’s content delivery network, making the token publicly accessible.

Attackers do not need authentication or special access simply viewing the page source is enough to extract the key.

Using this exposed token, the researcher demonstrated that a single request to the Split.io API could return approximately 4.5MB of backend data.

This dataset included 959 email addresses belonging to employees from Fortune 500 companies and government organizations across three countries.

Hardcoded Key Leads to Data Exposure

The presence of a hardcoded API key in a production environment highlights a fundamental security failure.

Such keys should never be exposed in client-side code, as they can be easily harvested and abused. In this case, the exposed token effectively granted access to sensitive internal data without any restrictions.

The issue reportedly remained unresolved for over a year, raising concerns about ClickUp’s internal security monitoring and response processes.

In addition to the data leak, the researcher identified a critical Server-Side Request Forgery (SSRF) vulnerability within ClickUp’s webhook functionality.

The flaw allows attackers to manipulate the server into making unauthorized internal requests.

To demonstrate the impact, the researcher created a free ClickUp account and configured a webhook targeting the AWS metadata service.

By triggering the webhook through a simple action, the system returned internal AWS Identity and Access Management (IAM) credentials.

This type of vulnerability is particularly dangerous because it enables attackers to move laterally within cloud environments. In worst-case scenarios, SSRF flaws can lead to full infrastructure compromise.

Despite responsible disclosure, ClickUp reportedly closed the vulnerability report within two days, marking it as a duplicate of an earlier submission from January 2025.

This suggests the company was aware of the issue for over 15 months without implementing a fix.

The incident also raises questions about ClickUp’s compliance claims. The company lists several major certifications, including SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS.

However, the existence of both a hardcoded API key and an unprotected SSRF endpoint indicates gaps in security validation and audit effectiveness.

This disclosure follows a similar recent incident involving another platform, suggesting a broader pattern of overlooked vulnerabilities affecting sensitive data.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post ClickUp Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants appeared first on Cyber Security News.