Image: dwifitrianor/Adobe A hardcoded API key embedded in ClickUp’s public website has quietly exposed hundreds of corporate and government email addresses for more than a year. The flaw, first reported in early 2025, remained active as of April 2026 — allowing anyone to access sensitive data with a simple request and no authentication. “I went to http://clickup[.]com, opened the page source, and found a hardcoded API key in the javascript. I sent one GET request and got back 959 email addresses and 3,165 internal feature flags,” security researcher Impulsive said in an X post . ClickUp data exposure explained The exposure originated from ClickUp’s web application, where a publicly accessible JavaScript file loaded before authentication contained a hard-coded third-party API key. Because client-side code is inherently visible, the key could be easily extracted and used to query a backend endpoint via an unauthenticated GET request.…