A security researcher's public disclosure on April 27 forced ClickUp to confront a misconfiguration its own engineering review process had missed for months. 893 customer email addresses embedded directly inside feature flag targeting rules, queryable by anyone with the platform's intentionally public client-side SDK key.

ClickUp published its incident disclosure the following day. The company did not minimize what happened. "We should have caught this sooner. We didn't," the company said.

What Did ClickUp Expose

The exposure involved two distinct issues within the same feature flag configuration system. The first was the email addresses themselves — 893 customer addresses that Click...