ClickUp Feature Flag Misconfiguration Exposes Data
A design flaw in the Notion API has been identified, allowing unauthenticated access to public pages and exposing user emails. The vulnerability has reportedly been active since 2022, posing a significant privacy risk to users. Security researchers are currently investigating the scope of the data exposure. A hardcoded API key in ClickUp has silently leaked 959 corporate and government emails over a 15-month period. The vulnerability allowed unauthorized access to sensitive communications across multiple organizations. A misconfiguration in ClickUp's feature flags exposed 893 customer email addresses and one live API token.
Topics
Developing
- 862d Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore.
- 862d Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
- 862d Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est.
- 862d Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium.
Sources · 7 independent
Mastodon
“Notion API leaking PII 🚨Public pages → emails exposedNo auth required💬 Design flaw or expected?”
Mastodon
“ClickUp’s Hardcoded API Key Has Silently Leaked 959 Corporate and Government Emails for 15 Months”
Mastodon
“ClickUp Discloses Feature Flag Misconfiguration That Exposed 893 Customer Email Addresses and a Live API Token”
Unlock the full story
Get a Pro subscription or above to see the live story progression and the full list of independent sources confirming each event as they happen.
Log in to upgrade