{"id":614162,"date":"2026-04-28T13:34:52","date_gmt":"2026-04-28T20:34:52","guid":{"rendered":"https:\/\/clickup.com\/blog\/?p=614162"},"modified":"2026-04-28T16:13:10","modified_gmt":"2026-04-28T23:13:10","slug":"april-27th-update","status":"publish","type":"post","link":"https:\/\/clickup.com\/blog\/april-27th-update\/","title":{"rendered":"April 27th &#8211; What happened with our feature flag configuration"},"content":{"rendered":"\n<p>On April 27, 2026, a security researcher publicly disclosed that ClickUp&#8217;s client-side feature flag configuration exposed personally identifiable information. Specifically, 893 customer email addresses were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer&#8217;s API token, used during an incident response to rate-limit traffic from that workspace.<\/p>\n\n\n\n<p>We should have caught this sooner. We didn&#8217;t, and we owe you a clear explanation of what happened, why, and what we&#8217;ve done about it now and how we&#8217;re improving moving forward.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Are you affected?<\/h2>\n\n\n\n<p>The exposure was limited to <strong>893 customer email addresses used in feature flag targeting rules <\/strong>to control which users see specific features during rollouts.<\/p>\n\n\n\n<p><strong>If you receive a direct communication from before or on April 29 (ongoing), your email address was among those included in a feature flag configuration.<\/strong> If you did not hear from us, your email was not in the list of email addresses.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No workspace content<\/strong> (tasks, docs, files, or project data) was exposed for any customer \u2014 with one potential exception described below.<\/li>\n\n\n\n<li><strong>No passwords, billing data, or account credentials<\/strong> were exposed.<\/li>\n\n\n\n<li><strong>No authentication systems<\/strong> were compromised.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">The technical issue<\/h2>\n\n\n\n<p>ClickUp uses <a href=\"http:\/\/Split.io\" rel=\"noreferrer noopener\" target=\"_blank\">Split.io<\/a> (now part of Harness) for feature flag management. Like most browser-side feature flag SDKs, <a href=\"http:\/\/Split.io\" rel=\"noreferrer noopener\" target=\"_blank\">Split.io<\/a> requires a <strong>client-side SDK key<\/strong> embedded in the application&#8217;s JavaScript bundle. This key is intentionally public and it&#8217;s how the SDK evaluates flags for the current user in the browser. This is standard, documented behavior across <a href=\"http:\/\/Split.io\" rel=\"noreferrer noopener\" target=\"_blank\">Split.io<\/a>, LaunchDarkly, and similar platforms, and it is not a vulnerability.<\/p>\n\n\n\n<p><strong>The key is not the issue. What our engineers put inside the flag configurations is.<\/strong><\/p>\n\n\n\n<p>Here&#8217;s what happened architecturally: feature flag platforms allow engineers to target specific users for feature rollouts. ClickUp engineering teams had used email addresses directly in flag targeting rules. An example is to enable a feature for a specific set of beta testers. The <a href=\"http:\/\/Split.io\" rel=\"noreferrer noopener\" target=\"_blank\">Split.io<\/a> SDK&#8217;s publicly queryable <code>splitChanges<\/code> endpoint returns the full set of flag definitions, including these targeting rules. This means anyone with the client-side key (which, again, is intentionally in our frontend code) could retrieve those flag definitions and extract the email addresses embedded in them.<\/p>\n\n\n\n<p>Engineers treated flag configurations as internal tooling, when the SDK architecture makes them publicly queryable by design. That allowed the email addresses to accumulate in a place they never should have been. Feature flag updates require a +1 peer review, similar to code. This review step did not catch this.<\/p>\n\n\n\n<p><strong>The one exception &#8211; A flag configured for rate limiting a single customer<\/strong><\/p>\n\n\n\n<p>An on-call engineer responding to API abuse referenced a customer&#8217;s API token in a rate-limiting flag configuration to throttle traffic, making it potentially readable via the SDK endpoint. This should never have happened: credentials do not belong in flag configs. We disabled the token immediately, and as of now, our log investigation shows no signs of malicious access beyond the researcher&#8217;s own investigation. No other customer tokens or workspace data were accessible, and we&#8217;re working directly with this customer.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What was exposed and what wasn&#8217;t<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Claim<\/strong>&nbsp;&nbsp;<\/td><td><strong>Our finding<\/strong>&nbsp;&nbsp;<\/td><\/tr><tr><td>SDK key hardcoded in bundle&nbsp;&nbsp;<\/td><td><strong>Correct and by design.<\/strong> This is how browser-side feature flag SDKs work. Not a vulnerability alone.&nbsp;&nbsp;<\/td><\/tr><tr><td>893 customer email addresses in flag targeting rules&nbsp;&nbsp;<\/td><td><strong>Correct at time of report.<\/strong> All third-party email addresses removed by April 28, 03:25 UTC.&nbsp;&nbsp;<\/td><\/tr><tr><td>Live customer API token in flag config&nbsp;&nbsp;<\/td><td><strong>Confirmed.<\/strong> Added October 7, 2025. Invalidated April 27, 2026 12:05 UTC.&nbsp;&nbsp;<\/td><\/tr><tr><td>Write access to Split.io&nbsp;&nbsp;<\/td><td><strong>Correct and by design.<\/strong> The browser SDK&#8217;s telemetry endpoints (events\/bulk, testImpressions) accept writes as part of standard SDK behavior. This is not a ClickUp misconfiguration.&nbsp;&nbsp;<\/td><\/tr><tr><td>&#8220;No remediation for 15 months&#8221;&nbsp;&nbsp;<\/td><td><strong>Mischaracterized; dates are correct.<\/strong> The original January 17, 2025 bug bounty report about the SDK key did not result in an engineering task as the key alone is not the vulnerability. The email addresses and flag configurations were the actual issue and not included in this original report. The flag configurations were not disclosed until April 8, 2026 to HackerOne and not known to ClickUp until April 27, 2026.\u00a0\u00a0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Timeline<\/h2>\n\n\n\n<p>We are committed to being fully transparent about where our processes failed, including failures by our third-party bug bounty provider and our own internal communication tools.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Date<\/strong>&nbsp;&nbsp;<\/td><td><strong>Event<\/strong>&nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2025-01-17<\/strong>&nbsp;&nbsp;<\/td><td>A researcher reports the Split.io SDK key disclosure to our bug bounty program on BugCrowd. This was, given the report&#8217;s contents, correctly marked as informational by BugCrowd and ClickUp.&nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2025-06-03<\/strong>&nbsp;&nbsp;<\/td><td>ClickUp moves the bug bounty program to HackerOne. All past reports are successfully migrated, including the issue above.&nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-08<\/strong>&nbsp;&nbsp;<\/td><td>Researcher under the handle <code>impulsive<\/code> files a new, detailed report on HackerOne documenting expanded impact: 893 customer email addresses in flag targeting rules, the live customer API token, and other operational data. &nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-10<\/strong>&nbsp;&nbsp;<\/td><td>HackerOne triage analyst incorrectly closes the report as a duplicate of the January 2025 report, missing that the new report documents materially different and expanded impact. On further review we identified two other instances of similar reports being incorrectly closed &#8211; one on September 6, 2025 and one on January 1, 2026&nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-21<\/strong>&nbsp;&nbsp;<\/td><td>The researcher pushes back on the closure with additional detail to HackerOne. &nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-25<\/strong>&nbsp;&nbsp;<\/td><td>The researcher escalates: inside HackerOne emailing ClickUp&#8217;s CEO and security@clickup.com DM&#8217;ing ClickUp on X sets a May 2 public disclosure deadline. These emails to ClickUp CEO and security@ are caught by spam filters and do not reach the intended recipients. The X DMs to ClickUp were automatically filtered and not read.&nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-27 ~10:42 UTC<\/strong>&nbsp;&nbsp;<\/td><td>The researcher publicly discloses on X.&nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-27 11:06 UTC<\/strong>&nbsp;&nbsp;<\/td><td>ClickUp becomes aware. Incident declared. Incident Response process kicks off and process to rotate the customer API token was initiated. &nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-27 12:53-14:12 UTC<\/strong>&nbsp;&nbsp;<\/td><td>Initial split flag cleanups across engineering squads.&nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-27 ~17:00 UTC<\/strong>&nbsp;&nbsp;<\/td><td>Full automated audit of all 4,809 feature flags completed. &nbsp;&nbsp;<\/td><\/tr><tr><td><strong>2026-04-27 23:13 UTC<\/strong>&nbsp;&nbsp;<\/td><td>ClickUp and Harness (Split) engineers review technical details. &nbsp;<\/td><\/tr><tr><td><strong>2026-04-28 03:25 UTC<\/strong>&nbsp;&nbsp;<\/td><td>All customer email addresses confirmed removed from flag configurations. <em>Note: some third party email addresses intentionally remain in two flags; related to fraudulent use.<\/em>&nbsp;&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Where our process failed<\/h2>\n\n\n\n<p>Three things went wrong here, and we want to name each one clearly. We will discuss changes in the following section.<\/p>\n\n\n\n<p><strong>1. No second-order follow-through on the original report.<\/strong> The January 2025 bug bounty report could have resulted in an engineering task and a review of what data was living inside flag configs. It didn&#8217;t. We are updating our triage process to prevent this from happening again in the future.<\/p>\n\n\n\n<p><strong>2. HackerOne mishandled the duplicate closure.<\/strong> The April 2026 report documented substantially new impact compared to the January 2025 report. It should not have been closed as a duplicate by HackerOne. On further review, we identified two other instances of similar reports being closed &#8211; one on September 6, 2025, and one on January 1, 2026. We are working with HackerOne to address gaps in their triage processes. We will be including a secondary review of all HackerOne reports to ensure we aren&#8217;t reliant on third-party processes moving forward.<\/p>\n\n\n\n<p><strong>3. Our email service flagged the researcher&#8217;s escalation in spam.<\/strong> On Saturday, April 25, 2026 the researcher emailed both our CEO and <a href=\"mailto:security@clickup.com\" target=\"_blank\" rel=\"noreferrer noopener\">security@clickup.com<\/a>, and DM&#8217;d ClickUp&#8217;s X account.<\/p>\n\n\n\n<p>We did not see these emails until after the public X post. They were found following an internal investigation into spam folders and X DM filtering.<\/p>\n\n\n\n<p>We are updating our email filtering and spam review processes to ensure security-related inbound communications are not silently dropped.<\/p>\n\n\n\n<p><strong>None of these excuse the core issue: customer data should never have been in our feature flag configurations in the first place.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What we&#8217;ve done<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Immediate (completed)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Invalidated the exposed customer API token.<\/li>\n\n\n\n<li>Removed all customer email addresses from feature flag configurations.<\/li>\n\n\n\n<li>Issued an engineering-wide directive prohibiting PII or credentials in flag configurations.<\/li>\n\n\n\n<li>Completed a full audit of all feature flags for PII, credentials, and sensitive data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Short-term (in progress)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Updated email filtering rules to ensure <a href=\"mailto:security@clickup.com\" target=\"_blank\" rel=\"noreferrer noopener\">security@clickup.com<\/a> surfaces all inbound security communications, adding a process step to (safely) examine spam messages.<\/li>\n\n\n\n<li>Review of bug bounty triage workflows with HackerOne to prevent valid reports from being incorrectly closed.<\/li>\n\n\n\n<li>Training of feature flag reviewers on what are approved contents.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Long-term<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automated scanning of all feature flag configurations for PII patterns (email addresses, tokens, API keys) on every flag change, with blocking enforcement.<\/li>\n\n\n\n<li>An automated process and tooling to review all HackerOne triage decisions.<\/li>\n\n\n\n<li>Implement a proxy or technical measure to separate front-end flags and back-end flags.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">A note on the researcher<\/h2>\n\n\n\n<p>Once ClickUp was in contact with the researcher who disclosed this, operating under the handle <code>impulsive<\/code> \/ <code>@weezerOSINT<\/code>, they acted responsibly and provided all information requested.<\/p>\n\n\n\n<p>The researcher, operating under the handle <code>impulsive<\/code> \/ <code>@weezerOSINT<\/code>, reported through proper channels (HackerOne, then direct email to <a href=\"mailto:security@clickup.com\" rel=\"noreferrer noopener\" target=\"_blank\">security@clickup.com<\/a> and our CEO) and engaged constructively when we made contact. Our internal processes failed to surface their report and escalations in time.<\/p>\n\n\n\n<p>After working with the researcher, ClickUp received the following message on April 28, 2026 at 1:47 UTC: &#8220;Thanks <em>[ClickUp]<\/em>, really appreciate how fast you&#8217;ve moved on this. Not something I see often and it makes a difference.&#8221;<\/p>\n\n\n\n<p>ClickUp is rewarding the researcher with a bug bounty for their findings. Other researchers are encouraged to join our Bug Bounty program, report responsibly through our <a href=\"https:\/\/clickup.com\/vulnerability-disclosure\" rel=\"noreferrer noopener\" target=\"_blank\">Vulnerability Disclosure Program<\/a>, or directly via email at <a href=\"mailto:security@clickup.com\" rel=\"noreferrer noopener\" target=\"_blank\">security@clickup.com<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p>The data exposed in this incident was limited in scope to 893 email addresses &#8211; no workspace content, passwords, or billing data was affected for any customer, with the exception of a single customer referenced above &#8211; we are working with them directly to verify the key wasn&#8217;t improperly accessed.<\/p>\n\n\n\n<p>To our customers, we greatly apologize that this happened, and we&#8217;ll do everything in our power to ensure something like this cannot happen again.<\/p>\n\n\n\n<p>We&#8217;ll update this post if new information is uncovered. If you have questions, contact <a href=\"mailto:security@clickup.com\" target=\"_blank\" rel=\"noreferrer noopener\">security@clickup.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On April 27, 2026, a security researcher publicly disclosed that ClickUp&#8217;s client-side feature flag configuration exposed personally identifiable information. Specifically, 893 customer email addresses were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer&#8217;s API token, used during an incident response to rate-limit traffic from that workspace. We should [&hellip;]<\/p>\n","protected":false},"author":179,"featured_media":614164,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"cu_sticky_sidebar_cta_is_visible":true,"cu_sticky_sidebar_cta_title":"Start using ClickUp today","cu_sticky_sidebar_cta_bullet_1":"Manage all your work in one place","cu_sticky_sidebar_cta_bullet_2":"Collaborate with your team","cu_sticky_sidebar_cta_bullet_3":"Use ClickUp for FREE\u2014forever","cu_sticky_sidebar_cta_button_text":"Get Started","cu_sticky_sidebar_cta_button_link":"","footnotes":""},"categories":[1158],"tags":[],"class_list":["post-614162","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-disclosures"],"featured_image_src":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png","author_info":{"display_name":"ClickUp Security Team","author_link":"https:\/\/clickup.com\/blog\/author\/cusecurity\/"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>April 27th - What happened with our feature flag configuration | The ClickUp Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/clickup.com\/blog\/april-27th-update\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"April 27th - What happened with our feature flag configuration | The ClickUp Blog\" \/>\n<meta property=\"og:description\" content=\"On April 27, 2026, a security researcher publicly disclosed that ClickUp&#8217;s client-side feature flag configuration exposed personally identifiable information. Specifically, 893 customer email addresses were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer&#8217;s API token, used during an incident response to rate-limit traffic from that workspace. We should [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/clickup.com\/blog\/april-27th-update\/\" \/>\n<meta property=\"og:site_name\" content=\"The ClickUp Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/clickupprojectmanagement\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-28T20:34:52+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-28T23:13:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png\" \/>\n\t<meta property=\"og:image:width\" content=\"256\" \/>\n\t<meta property=\"og:image:height\" content=\"256\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"ClickUp Security Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@clickup\" \/>\n<meta name=\"twitter:site\" content=\"@clickup\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ClickUp Security Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/\"},\"author\":{\"name\":\"ClickUp Security Team\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#\\\/schema\\\/person\\\/c5b62b279e6bbb5de6fdc6b442449d40\"},\"headline\":\"April 27th &#8211; What happened with our feature flag configuration\",\"datePublished\":\"2026-04-28T20:34:52+00:00\",\"dateModified\":\"2026-04-28T23:13:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/\"},\"wordCount\":1713,\"publisher\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/clickup.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Logomark-gradient.png\",\"articleSection\":[\"Disclosures\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/\",\"url\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/\",\"name\":\"April 27th - What happened with our feature flag configuration | The ClickUp Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/clickup.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Logomark-gradient.png\",\"datePublished\":\"2026-04-28T20:34:52+00:00\",\"dateModified\":\"2026-04-28T23:13:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/#primaryimage\",\"url\":\"https:\\\/\\\/clickup.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Logomark-gradient.png\",\"contentUrl\":\"https:\\\/\\\/clickup.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Logomark-gradient.png\",\"width\":256,\"height\":256},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/april-27th-update\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/clickup.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Disclosures\",\"item\":\"https:\\\/\\\/clickup.com\\\/blog\\\/disclosures\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"April 27th &#8211; What happened with our feature flag configuration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/clickup.com\\\/blog\\\/\",\"name\":\"The ClickUp Blog\",\"description\":\"The ClickUp Blog\",\"publisher\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/clickup.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#organization\",\"name\":\"ClickUp\",\"url\":\"https:\\\/\\\/clickup.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/clickup.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/logo-v3-clickup-light.jpg\",\"contentUrl\":\"https:\\\/\\\/clickup.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/logo-v3-clickup-light.jpg\",\"width\":503,\"height\":125,\"caption\":\"ClickUp\"},\"image\":{\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/clickupprojectmanagement\",\"https:\\\/\\\/x.com\\\/clickup\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/clickup-app\",\"https:\\\/\\\/en.wikipedia.org\\\/wiki\\\/ClickUp\",\"https:\\\/\\\/tiktok.com\\\/@clickup\",\"https:\\\/\\\/instagram.com\\\/clickup\",\"https:\\\/\\\/www.youtube.com\\\/@ClickUpProductivity\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/clickup.com\\\/blog\\\/#\\\/schema\\\/person\\\/c5b62b279e6bbb5de6fdc6b442449d40\",\"name\":\"ClickUp Security Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0d5fc701590ffe49daf58685fab9d7fc9c3643381488d543d13a9ecb13b687df?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0d5fc701590ffe49daf58685fab9d7fc9c3643381488d543d13a9ecb13b687df?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0d5fc701590ffe49daf58685fab9d7fc9c3643381488d543d13a9ecb13b687df?s=96&d=retro&r=g\",\"caption\":\"ClickUp Security Team\"},\"url\":\"https:\\\/\\\/clickup.com\\\/blog\\\/author\\\/cusecurity\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"April 27th - What happened with our feature flag configuration | The ClickUp Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/clickup.com\/blog\/april-27th-update\/","og_locale":"en_US","og_type":"article","og_title":"April 27th - What happened with our feature flag configuration | The ClickUp Blog","og_description":"On April 27, 2026, a security researcher publicly disclosed that ClickUp&#8217;s client-side feature flag configuration exposed personally identifiable information. Specifically, 893 customer email addresses were embedded in feature flag targeting rules, along with one flag that improperly referenced a customer&#8217;s API token, used during an incident response to rate-limit traffic from that workspace. We should [&hellip;]","og_url":"https:\/\/clickup.com\/blog\/april-27th-update\/","og_site_name":"The ClickUp Blog","article_publisher":"https:\/\/www.facebook.com\/clickupprojectmanagement","article_published_time":"2026-04-28T20:34:52+00:00","article_modified_time":"2026-04-28T23:13:10+00:00","og_image":[{"width":256,"height":256,"url":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png","type":"image\/png"}],"author":"ClickUp Security Team","twitter_card":"summary_large_image","twitter_creator":"@clickup","twitter_site":"@clickup","twitter_misc":{"Written by":"ClickUp Security Team","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/clickup.com\/blog\/april-27th-update\/#article","isPartOf":{"@id":"https:\/\/clickup.com\/blog\/april-27th-update\/"},"author":{"name":"ClickUp Security Team","@id":"https:\/\/clickup.com\/blog\/#\/schema\/person\/c5b62b279e6bbb5de6fdc6b442449d40"},"headline":"April 27th &#8211; What happened with our feature flag configuration","datePublished":"2026-04-28T20:34:52+00:00","dateModified":"2026-04-28T23:13:10+00:00","mainEntityOfPage":{"@id":"https:\/\/clickup.com\/blog\/april-27th-update\/"},"wordCount":1713,"publisher":{"@id":"https:\/\/clickup.com\/blog\/#organization"},"image":{"@id":"https:\/\/clickup.com\/blog\/april-27th-update\/#primaryimage"},"thumbnailUrl":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png","articleSection":["Disclosures"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/clickup.com\/blog\/april-27th-update\/","url":"https:\/\/clickup.com\/blog\/april-27th-update\/","name":"April 27th - What happened with our feature flag configuration | The ClickUp Blog","isPartOf":{"@id":"https:\/\/clickup.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/clickup.com\/blog\/april-27th-update\/#primaryimage"},"image":{"@id":"https:\/\/clickup.com\/blog\/april-27th-update\/#primaryimage"},"thumbnailUrl":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png","datePublished":"2026-04-28T20:34:52+00:00","dateModified":"2026-04-28T23:13:10+00:00","breadcrumb":{"@id":"https:\/\/clickup.com\/blog\/april-27th-update\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/clickup.com\/blog\/april-27th-update\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/clickup.com\/blog\/april-27th-update\/#primaryimage","url":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png","contentUrl":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png","width":256,"height":256},{"@type":"BreadcrumbList","@id":"https:\/\/clickup.com\/blog\/april-27th-update\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/clickup.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Disclosures","item":"https:\/\/clickup.com\/blog\/disclosures\/"},{"@type":"ListItem","position":3,"name":"April 27th &#8211; What happened with our feature flag configuration"}]},{"@type":"WebSite","@id":"https:\/\/clickup.com\/blog\/#website","url":"https:\/\/clickup.com\/blog\/","name":"The ClickUp Blog","description":"The ClickUp Blog","publisher":{"@id":"https:\/\/clickup.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/clickup.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/clickup.com\/blog\/#organization","name":"ClickUp","url":"https:\/\/clickup.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/clickup.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2025\/07\/logo-v3-clickup-light.jpg","contentUrl":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2025\/07\/logo-v3-clickup-light.jpg","width":503,"height":125,"caption":"ClickUp"},"image":{"@id":"https:\/\/clickup.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/clickupprojectmanagement","https:\/\/x.com\/clickup","https:\/\/www.linkedin.com\/company\/clickup-app","https:\/\/en.wikipedia.org\/wiki\/ClickUp","https:\/\/tiktok.com\/@clickup","https:\/\/instagram.com\/clickup","https:\/\/www.youtube.com\/@ClickUpProductivity"]},{"@type":"Person","@id":"https:\/\/clickup.com\/blog\/#\/schema\/person\/c5b62b279e6bbb5de6fdc6b442449d40","name":"ClickUp Security Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/0d5fc701590ffe49daf58685fab9d7fc9c3643381488d543d13a9ecb13b687df?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/0d5fc701590ffe49daf58685fab9d7fc9c3643381488d543d13a9ecb13b687df?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0d5fc701590ffe49daf58685fab9d7fc9c3643381488d543d13a9ecb13b687df?s=96&d=retro&r=g","caption":"ClickUp Security Team"},"url":"https:\/\/clickup.com\/blog\/author\/cusecurity\/"}]}},"reading":["7"],"keywords":[["Disclosures","disclosures",1158]],"redirect_params":{"product":"","department":""},"is_translated":"true","author_data":{"name":"ClickUp Security Team","link":"https:\/\/clickup.com\/blog\/author\/cusecurity\/","image":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/clickup_app_logo.jpeg","position":""},"category_data":{"name":"Disclosures","slug":"disclosures","term_id":1158,"url":"https:\/\/clickup.com\/blog\/disclosures\/"},"hero_data":{"media_url":"","media_alt_text":"April 27th &#8211; What happened with our feature flag configuration","button":"","template_id":"","youtube_thumbnail_url":"","custom_button_text":"","custom_button_url":"https:\/\/"},"featured_media_data":{"id":614164,"url":"https:\/\/clickup.com\/blog\/wp-content\/uploads\/2026\/04\/Logomark-gradient.png","alt":"","mime_type":"image\/png","is_webm":false},"_links":{"self":[{"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/posts\/614162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/users\/179"}],"replies":[{"embeddable":true,"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/comments?post=614162"}],"version-history":[{"count":6,"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/posts\/614162\/revisions"}],"predecessor-version":[{"id":614347,"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/posts\/614162\/revisions\/614347"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/media\/614164"}],"wp:attachment":[{"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/media?parent=614162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/categories?post=614162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/clickup.com\/blog\/wp-json\/wp\/v2\/tags?post=614162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}