Listen to this Post

Introduction
ClickUp, a popular productivity and project management platform used by companies and public institutions worldwide, is now under intense scrutiny after major security flaws were uncovered.
A security researcher revealed that a hardcoded API key inside ClickUp’s production code exposed sensitive internal data.
The issue not only affected enterprise environments but also potentially impacted government-related information.
Alongside this, a critical server-side vulnerability raised even more concerns about cloud security practices and long-term oversight failures.
Summary of the Incident
ClickUp was found embedding a Split.io SDK token directly into its production JavaScript bundle
The script is automatically loaded from ClickUp’s content delivery network whenever users access the platform
This made the token publicly visible to anyone inspecting the page source
No authentication or advanced access was required to retrieve the key
A researcher identified as @weezerOSINT discovered and analyzed the issue
By using the exposed token, a single API request to Split.io returned around 4.5MB of internal backend data
The data included 959 email addresses tied to employees from Fortune 500 companies
Government organizations from at least three different countries were also affected
The exposure highlights how a simple misconfiguration can escalate into large-scale data leakage
Hardcoded API keys are considered a critical security flaw in modern application development
They are meant to be stored securely on servers, not inside client-side code
The exposed key effectively bypassed normal access controls
Reports suggest the vulnerability remained active for over a year before being addressed
This raises concerns about ClickUp’s internal security monitoring and audit processes
In addition to the API issue, a Server-Side Request Forgery (SSRF) vulnerability was discovered
The flaw existed in ClickUp’s webhook functionality
Attackers could manipulate the system into making unauthorized internal network requests
A demonstration showed that AWS metadata services could be targeted through this flaw
This allowed retrieval of internal IAM credentials in a controlled test scenario
Such access could enable attackers to escalate privileges within cloud infrastructure
SSRF vulnerabilities are considered highly dangerous in cloud-based environments
They can lead to lateral movement and full system compromise in worst cases
Despite responsible disclosure, ClickUp reportedly marked the report as a duplicate issue
The response was closed within two days according to the researcher
Evidence suggests the issue may have been known since January 2025
This indicates a possible delay of more than 15 months without a fix
ClickUp holds multiple security certifications including SOC 2 Type 2 and ISO standards
However, the existence of these vulnerabilities raises questions about audit effectiveness
The incident adds to a growing list of overlooked security flaws in major SaaS platforms
It also highlights ongoing risks in modern cloud-first development environments
What Undercode Say:
The ClickUp incident is not just a simple coding mistake
It represents a deeper architectural and governance failure in secure software development
Hardcoded secrets in frontend applications are among the oldest security mistakes
Yet they continue to appear in major platforms despite industry awareness
This suggests that secure development lifecycle practices are either missing or inconsistently enforced
Even well-known companies still struggle with basic secret management hygiene
The exposure of 4.5MB of backend data shows how small errors scale quickly
API keys are often treated as convenience tools instead of high-risk credentials
Once exposed, they effectively become open doors into internal systems
The fact that email addresses from Fortune 500 companies were included increases the severity
Government-related data exposure introduces compliance and legal implications
The SSRF vulnerability is even more concerning from an infrastructure perspective
It demonstrates how attackers can pivot from application layer to cloud metadata services
Accessing IAM credentials through SSRF is a known high-impact attack vector
This type of flaw is often used in real-world cloud breaches
ClickUp’s webhook system appears to have lacked proper request validation controls
That design gap allowed attackers to manipulate internal request behavior
Security certifications like SOC 2 and ISO standards do not guarantee real-time security
They reflect compliance at a point in time, not continuous protection
The delayed response to known vulnerabilities raises questions about patch management culture
Closing reports as duplicates without visible remediation can create blind spots
Security teams may have alert fatigue or prioritization issues
This case also shows the importance of external security researchers
Without @weezerOSINT, the exposure might have remained unnoticed longer
Bug bounty ecosystems play a critical role in modern cybersecurity defense
However, response quality from vendors remains inconsistent across the industry
Cloud-native applications require stricter isolation between frontend and backend secrets
Organizations should adopt secret vaulting systems instead of embedding tokens
Continuous security testing should be integrated into deployment pipelines
Static analysis tools could have detected the hardcoded API key earlier
Webhooks should never directly interact with sensitive internal services
SSRF protection mechanisms like metadata service blocking are essential
The incident reinforces that compliance is not equal to security maturity
Real security is proven through resistance to exploitation, not certification badges
ClickUp’s case is a reminder that even mature SaaS platforms are not immune
Attack surface reduction must remain a constant engineering priority
Security failures often come from overlooked small configurations, not complex exploits
The combination of API leakage and SSRF creates a high-risk threat chain
If exploited by malicious actors, the impact could extend beyond data exposure to infrastructure takeover
Fact Checker Results
❌ Hardcoded API keys in client-side code are considered insecure by industry standards
❌ SSRF vulnerabilities can allow access to internal cloud metadata services if unprotected
⚠️ Reported duration of exposure and response delay is based on researcher claims and requires vendor confirmation
Prediction
Future audits will likely force ClickUp and similar platforms to strengthen secret management systems
More automated scanning tools will be integrated into CI/CD pipelines to detect exposed credentials
Cloud providers may further restrict metadata access to reduce SSRF impact risks
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




