April 27th - What happened with our feature flag configuration | The ClickUp Blog

Summary

On April 27, 2026, a security researcher disclosed that ClickUp's feature flag configuration exposed 893 customer email addresses embedded in targeting rules, plus one API token used for rate-limiting during incident response. The exposure occurred because engineers treated feature flag configurations as internal tooling when the Split.io SDK architecture makes them publicly queryable via the splitChanges endpoint. ClickUp removed the exposed emails by April 28 and invalidated the token, but acknowledged the peer review process failed to catch the misconfiguration.

Full text

April 27th – What happened with our feature flag configuration ClickUp Security Team Apr 28, 2026 7min read On April 27, 2026, a security researcher publicly disclosed that ClickUp’s client-side feature flag configuration exposed personally identifiable information. Specifically, 893 customer email addresses were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer’s API token, used during an incident response to rate-limit traffic from that workspace. We should have caught this sooner. We didn’t, and we owe you a clear explanation of what happened, why, and what we’ve done about it now and how we’re improving moving forward. Summarize this article with AI ClickUp Brain not only saves you precious time by instantly summarizing articles, it also leverages AI to connect your tasks, docs, people, and more, streamlining your workflow like never before. Summarize article <img src="https://images.ctfassets.net/w8fc6tgspyjz/3g8YgBocDvyCWiQ1g64M7f/b519968610c1f56537ea99d54972114d/logo-v3-clickup-brain-dark-v2.svg" alt="ClickUp Brain" /> <img src="https://images.ctfassets.net/w8fc6tgspyjz/3HpcGsS4tgza39AAiD0iBQ/da83171e45b3e6bb5ab2bd3320e18aba/ai-widget-avatar.png" alt="Avatar of person using AI" /> Summarize this article for me please Want to save even more time? Try ClickUp Brain free Are you affected? The exposure was limited to 893 customer email addresses used in feature flag targeting rules to control which users see specific features during rollouts. If your email address was among those included in a feature flag configuration, you have been directly contacted. If you did not hear from us, your email was not in the list of email addresses. No workspace content (tasks, docs, files, or project data) was exposed for any customer — with one potential exception described below. No passwords, billing data, or account credentials were exposed. No authentication systems were compromised. Summarize this article with AI ClickUp Brain not only saves you precious time by instantly summarizing articles, it also leverages AI to connect your tasks, docs, people, and more, streamlining your workflow like never before. Summarize article <img src="https://images.ctfassets.net/w8fc6tgspyjz/3g8YgBocDvyCWiQ1g64M7f/b519968610c1f56537ea99d54972114d/logo-v3-clickup-brain-dark-v2.svg" alt="ClickUp Brain" /> <img src="https://images.ctfassets.net/w8fc6tgspyjz/3HpcGsS4tgza39AAiD0iBQ/da83171e45b3e6bb5ab2bd3320e18aba/ai-widget-avatar.png" alt="Avatar of person using AI" /> Summarize this article for me please Want to save even more time? Try ClickUp Brain free The technical issue ClickUp uses Split.io (now part of Harness) for feature flag management. Like most browser-side feature flag SDKs, Split.io requires a client-side SDK key embedded in the application’s JavaScript bundle. This key is intentionally public and it’s how the SDK evaluates flags for the current user in the browser. This is standard, documented behavior across Split.io, LaunchDarkly, and similar platforms, and it is not a vulnerability. The key is not the issue. What our engineers put inside the flag configurations is. Here’s what happened architecturally: feature flag platforms allow engineers to target specific users for feature rollouts. ClickUp engineering teams had used email addresses directly in flag targeting rules. An example is to enable a feature for a specific set of beta testers. The Split.io SDK’s publicly queryable splitChanges endpoint returns the full set of flag definitions, including these targeting rules. This means anyone with the client-side key (which, again, is intentionally in our frontend code) could retrieve those flag definitions and extract the email addresses embedded in them. Engineers treated flag configurations as internal tooling, when the SDK architecture makes them publicly queryable by design. That allowed the email addresses to accumulate in a place they never should have been. Feature flag updates require a +1 peer review, similar to code. This review step did not catch this. The one exception – A flag configured for rate limiting a single customer An on-call engineer responding to API abuse referenced a customer’s API token in a rate-limiting flag configuration to throttle traffic, making it potentially readable via the SDK endpoint. This should never have happened: credentials do not belong in flag configs. We disabled the token immediately, and as of now, our log investigation shows no signs of malicious access beyond the researcher’s own investigation. No other customer tokens or workspace data were accessible, and we’re working directly with this customer. Summarize this article with AI ClickUp Brain not only saves you precious time by instantly summarizing articles, it also leverages AI to connect your tasks, docs, people, and more, streamlining your workflow like never before. Summarize article <img src="https://images.ctfassets.net/w8fc6tgspyjz/3g8YgBocDvyCWiQ1g64M7f/b519968610c1f56537ea99d54972114d/logo-v3-clickup-brain-dark-v2.svg" alt="ClickUp Brain" /> <img src="https://images.ctfassets.net/w8fc6tgspyjz/3HpcGsS4tgza39AAiD0iBQ/da83171e45b3e6bb5ab2bd3320e18aba/ai-widget-avatar.png" alt="Avatar of person using AI" /> Summarize this article for me please Want to save even more time? Try ClickUp Brain free What was exposed and what wasn’t Claim Our finding SDK key hardcoded in bundle Correct and by design. This is how browser-side feature flag SDKs work. Not a vulnerability alone. 893 customer email addresses in flag targeting rules Correct at time of report. All third-party email addresses removed by April 28, 03:25 UTC. Live customer API token in flag config Confirmed. Added October 7, 2025. Invalidated April 27, 2026 12:05 UTC. Write access to Split.io Correct and by design. The browser SDK’s telemetry endpoints (events/bulk, testImpressions) accept writes as part of standard SDK behavior. This is not a ClickUp misconfiguration. “No remediation for 15 months” Mischaracterized; dates are correct. The original January 17, 2025 bug bounty report about the SDK key did not result in an engineering task as the key alone is not the vulnerability. The email addresses and flag configurations were the actual issue and not included in this original report. The flag configurations were not disclosed until April 8, 2026 to HackerOne and not known to ClickUp until April 27, 2026. Summarize this article with AI ClickUp Brain not only saves you precious time by instantly summarizing articles, it also leverages AI to connect your tasks, docs, people, and more, streamlining your workflow like never before. Summarize article <img src="https://images.ctfassets.net/w8fc6tgspyjz/3g8YgBocDvyCWiQ1g64M7f/b519968610c1f56537ea99d54972114d/logo-v3-clickup-brain-dark-v2.svg" alt="ClickUp Brain" /> <img src="https://images.ctfassets.net/w8fc6tgspyjz/3HpcGsS4tgza39AAiD0iBQ/da83171e45b3e6bb5ab2bd3320e18aba/ai-widget-avatar.png" alt="Avatar of person using AI" /> Summarize this article for me please Want to save even more time? Try ClickUp Brain free Timeline We are committed to being fully transparent about where our processes failed, including failures by our third-party bug bounty provider and our own internal communication tools. Date Event 2025-01-17 A researcher reports the Split.io SDK key disclosure to our bug bounty program on BugCrowd. This was, given the report’s contents, correctly marked as informational by BugCrowd and ClickUp. 2025-06-03 ClickUp moves the bug bounty program to HackerOne. All past reports are successfully migrated, including the issue above. 2026-04-08 Researcher under the handle impulsive files a new, detailed report on HackerOne documenting expanded impact: 893 customer email addresses in flag targeting rules, the live customer API token, and other operational data. 2026-04-10 HackerOne triage analyst incorrectly closes the report as a duplicate of the January 2025 report, missing that the new report documents mate

Entities