Back

ClickUp API Key Vulnerability Exposes 959 Emails from Fortune 500 Firms

Severity: High (Score: 66.0)

Sources: Cybersecuritynews, Gbhackers

Summary

A security vulnerability in ClickUp has led to the exposure of 959 email addresses associated with major Fortune 500 companies and government agencies. The issue arises from a hardcoded Split.io SDK token in ClickUp’s production JavaScript bundle, which is automatically loaded when users access the platform. This vulnerability was first reported in January 2025 and has not been addressed as of April 2026. Affected organizations include Fortinet, Depot, Tenable, Mayo Clinic, and various U.S. state government employees. The exposed emails could lead to phishing attacks and other malicious activities. The vulnerability remains unpatched, raising significant security concerns. Security professionals are urged to monitor for potential misuse of the exposed data. The incident highlights the risks associated with hardcoded credentials in production environments. Key Points: • 959 email addresses from Fortune 500 firms and government agencies were exposed. • The vulnerability stems from a hardcoded API key in ClickUp's JavaScript bundle. • The issue was first reported in January 2025 and remains unaddressed as of April 2026.

Key Entities

  • Data Breach (attack_type)
  • ClickUp (company)
  • Depot (company)
  • Fortinet (company)
  • Mayo Clinic (company)
  • Tenable (company)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • split.io (domain)
  • Government (industry)
  • JavaScript (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed