Do Son 
Productivity platform ClickUp has disclosed a configuration oversight that exposed the personal information of nearly 900 customers. On April 27, 2026, the company became aware that its client-side feature flag configurations—intended to manage software rollouts—had been inadvertently turned into a public directory of sensitive data.
While feature flag platforms are essential for modern engineering, their client-side implementations are often visible to the world by design.
ClickUp utilizes Split.io for feature flag management, a platform that requires a client-side SDK key to be embedded in the browser’s JavaScript. While this key is “intentionally public” and standard across the industry, the company’s engineering teams had been using customer email addresses directly within flag targeting rules to manage beta tests.
Because the Split.io SDK allows anyone with that public key to query full flag definitions, the embedded data became accessible to anyone who knew where to look. The blog post was candid about the internal failure, “Engineers treated flag configurations as internal tooling, when the SDK architecture makes them publicly queryable by design”.
While the exposure was primarily limited to 893 customer email addresses, a much more severe risk was uncovered involving a single workspace. An on-call engineer, responding to an incident of API abuse, improperly placed a customer’s live API token into a rate-limiting flag configuration.
ClickUp confirmed the token was added on October 7, 2025, and remained active until its invalidation on April 27, 2026. The company stated, “credentials do not belong in flag configs,” and confirmed they are working directly with the affected customer to ensure no malicious access occurred.
Perhaps most frustrating for the security community is that this exposure could have been mitigated months ago. The timeline reveals a series of systemic failures.
A researcher reported the issue to HackerOne on April 8, 2026, but a triage analyst “incorrectly closes the report as a duplicate,” missing the new evidence of PII exposure. When the researcher attempted to escalate directly to ClickUp’s CEO on April 25, the communications were “caught by spam filters and do not reach the intended recipients”.
The company acknowledged the delay, stating: “We should have caught this sooner. We didn’t, and we owe you a clear explanation of what happened, why, and what we’ve done about it”.
ClickUp has since removed all customer email addresses from its configurations and invalidated the exposed API token. Moving forward, the company plans to implement automated scanning for all feature flag changes to block any patterns resembling PII or credentials before they ever go live.
| Data Category | Status of Exposure |
| Customer Emails |
893 addresses exposed |
| API Tokens |
1 specific token exposed and invalidated |
| Workspace Content |
No tasks, docs, or files exposed |
| Passwords/Billing |
No passwords or billing data exposed |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
