ClickUp Exposes 893 Customer Emails and API Token Due to Feature Flag Misconfiguration
On April 27, 2026, security researcher disclosure forced ClickUp to address a months-long misconfiguration in its feature flag system, exposing 893 customer email addresses and a live API token. The incident stemmed from engineering practices that treated flag targeting rules as internal tooling, despite their public accessibility via the platform’s client-side SDK.
The exposure involved two key issues within ClickUp’s Split.io-based feature flag system. First, customer email addresses used to control staged feature rollouts were embedded directly in flag targeting rules, making them queryable through Split.io’s public splitChanges endpoint. While the client-side SDK key required to access this data is intentionally public (a standard industry practice), the inclusion of personally identifiable information (PII) in flag configurations was unintended. No workspace content, passwords, or billing data were exposed, except for one live API token found in a rate-limiting flag.
The API token, added on October 7, 2025, remained in the configuration until ClickUp invalidated it on April 28, 2026. Logs showed no evidence of malicious access beyond the researcher’s investigation. All 893 email addresses were removed from flag configurations by April 29, and affected customers were notified directly.
The root cause was architectural: ClickUp’s engineers failed to account for the public nature of flag targeting rules when using PII in configurations. While flag updates required peer review, the process did not catch the accumulation of sensitive data. ClickUp acknowledged the oversight, stating, “We should have caught this sooner. We didn’t.”
The disclosure timeline clarifies a disputed claim that the issue went unaddressed for 15 months. In January 2025, a researcher reported the public SDK key (a non-vulnerability by design) to ClickUp’s BugCrowd program. The email exposure was not part of that report. A separate, detailed disclosure on April 8, 2026 filed after ClickUp migrated to HackerOne revealed the full scope, prompting the public disclosure on April 27.
In response, ClickUp implemented automated tooling to detect PII and credentials in flag configurations, added secrets scanning to the deployment pipeline, and replaced email addresses with internal identifiers. The existing peer review process remains in place but is now supplemented by system-level checks.
Source: https://thecyberexpress.com/clickup-feature-flag-misgonfiguration-leak/
ClickUp cybersecurity rating report: https://www.rankiteo.com/company/clickup-app
"id": "CLI1777436623",
"linkid": "clickup-app",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '893',
'industry': 'Project Management/Software',
'name': 'ClickUp',
'type': 'SaaS Platform'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Affected customers were notified directly.',
'data_breach': {'data_exfiltration': 'No evidence of malicious exfiltration',
'number_of_records_exposed': '893 email addresses, 1 API '
'token',
'personally_identifiable_information': 'Email addresses',
'sensitivity_of_data': 'Low to moderate (PII but no '
'passwords, billing data, or workspace '
'content)',
'type_of_data_compromised': 'Email addresses, API token'},
'date_detected': '2026-04-08',
'date_publicly_disclosed': '2026-04-27',
'date_resolved': '2026-04-29',
'description': 'On April 27, 2026, security researcher disclosure forced '
'ClickUp to address a months-long misconfiguration in its '
'feature flag system, exposing 893 customer email addresses '
'and a live API token. The incident stemmed from engineering '
'practices that treated flag targeting rules as internal '
'tooling, despite their public accessibility via the '
'platform’s client-side SDK.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'PII exposure',
'data_compromised': '893 customer email addresses and 1 live API '
'token',
'identity_theft_risk': 'Low (only email addresses exposed)',
'systems_affected': 'Feature flag system (Split.io)'},
'investigation_status': 'Resolved',
'lessons_learned': 'Failure to account for public accessibility of feature '
'flag targeting rules when using PII in configurations. '
'Peer review processes did not catch the accumulation of '
'sensitive data.',
'post_incident_analysis': {'corrective_actions': 'Automated PII/credential '
'detection in flag '
'configurations, secrets '
'scanning in deployment '
'pipeline, replacement of '
'email addresses with '
'internal identifiers, and '
'enhanced system-level '
'checks.',
'root_causes': 'Engineering practices treated '
'feature flag targeting rules as '
'internal tooling despite public '
'accessibility via client-side SDK. '
'Peer review processes did not '
'catch the inclusion of PII in flag '
'configurations.'},
'recommendations': 'Implement automated tooling to detect PII/credentials in '
'flag configurations, add secrets scanning to deployment '
'pipelines, replace PII with internal identifiers, and '
'supplement peer review with system-level checks.',
'references': [{'source': 'Security researcher disclosure (HackerOne)'}],
'response': {'communication_strategy': 'Direct notification to affected '
'customers',
'containment_measures': 'Invalidation of exposed API token, '
'removal of email addresses from flag '
'configurations',
'remediation_measures': 'Automated tooling to detect '
'PII/credentials in flag configurations, '
'secrets scanning in deployment '
'pipeline, replacement of email '
'addresses with internal identifiers'},
'title': 'ClickUp Exposes 893 Customer Emails and API Token Due to Feature '
'Flag Misconfiguration',
'type': 'Data Exposure',
'vulnerability_exploited': 'Feature flag misconfiguration (Split.io-based '
'system)'}