Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
APT-C-20 Hackers Use PNG Images to Deliver Fileless C# Backdoor
July 8, 2026
PromptSpy Android Malware Leverages Google Gemini for Adaptive Attacks
July 8, 2026
ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
July 8, 2026
Home/CyberSecurity News/Notion Public Pages Exposed Editor Profile Photos and Emails
CyberSecurity News

Notion Public Pages Exposed Editor Profile Photos and Emails

Key Takeaways Notion’s public pages have been exposing the full names, email addresses, and profile photos of anyone who has edited them. This vulnerability stems from internal editor UUIDs...

Emy Elsamnoudy
Emy Elsamnoudy
April 20, 2026 3 Min Read
38 0

Key Takeaways

  • Notion’s public pages have been exposing the full names, email addresses, and profile photos of anyone who has edited them.
  • This vulnerability stems from internal editor UUIDs embedded in public page data, accessible without authentication.
  • The issue, originally reported in July 2022, was triaged as “informative” and remained unpatched for nearly four years.
  • The exposed data significantly increases the risk of sophisticated phishing and social engineering attacks against Notion users and organizations.
  • Notion has acknowledged the problem and is developing a fix to either remove PII from public endpoints or implement an email proxy.

Notion, a widely adopted platform for productivity and collaboration, is currently facing intense scrutiny from the cybersecurity community. Reports indicate that public Notion pages have been inadvertently exposing the profile photos and email addresses of editors, sparking significant privacy concerns for both individual users and organizations.

Table Of Content

  • Key Takeaways
  • Notion Pages Expose User Data
  • Official Response and Proposed Mitigations
  • What You Should Do

Security researchers have highlighted that any public Notion page silently reveals personally identifiable information (PII) for all individuals who have contributed to its content.

This data exposure encompasses full names, email addresses, and profile pictures, creating substantial privacy risks, particularly for enterprises that leverage Notion for public-facing documentation.

Notion Pages Expose User Data

The core of this vulnerability lies in Notion’s method of processing user data within public workspaces. When a document is published to the web, the platform embeds unique editor identifiers (UUIDs) directly into the page’s block permissions.

Threat actors and open-source intelligence (OSINT) researchers discovered that these internal identifiers are easily retrievable from the page data without requiring any form of authentication, active session cookies, or security tokens.

Once these UUIDs are collected, an attacker can submit them via a single unauthenticated POST request to Notion’s internal API endpoint: /api/v3/syncRecordValuesMain.

Because this endpoint lacks access controls for public page data, it subsequently returns the complete user profiles linked to those UUIDs.

every public Notion page is leaking the email addresses of everyone who edited it.

zero authentication. no cookies. no tokens. one POST request returns full names, emails, and profile photos for every editor on the page.

your company wiki is public? every employee’s email is… pic.twitter.com/jqWSCVBoyH

— impulsive (@weezerOSINT) April 19, 2026

As a result, a company’s public wiki or an open-source project board hosted on Notion could inadvertently expose the precise contact information of every employee or contributor involved with the document.

A particularly contentious aspect of this exposure is its prolonged, unaddressed history. According to security researchers, the exact API behavior leading to this data leak was responsibly disclosed to Notion via the HackerOne bug bounty program in July 2022.

At that time, Notion’s security team classified the submission as merely “informative” and closed the report as out of scope, without implementing a structural patch.

The issue recently resurfaced on X, igniting widespread indignation among developers and cybersecurity professionals. Many paying subscribers expressed severe dissatisfaction with the platform’s perceived negligence, noting that an unaddressed vulnerability for nearly four years has left thousands of indexable pages susceptible to data scraping.

Security experts have underscored that this exposed data significantly expands the attack surface for highly targeted phishing campaigns and sophisticated social engineering attacks aimed at corporate entities.

Official Response and Proposed Mitigations

Following the intense public reaction, Notion has officially acknowledged the problem. Max Schoening, a Notion representative, addressed the community’s concerns, stating that the platform does provide users with warnings regarding data visibility when a page is published to the web.

However, acknowledging that this design choice presents unacceptable security risks, Notion is now actively working on a permanent architectural solution.

The engineering team plans to either completely remove PII from public-facing endpoints or implement an email proxy system to mask user addresses.

In the interim, organizations utilizing Notion for publicly accessible resources should exercise heightened vigilance, as their employees’ contact information may already be indexed and available to automated scraping tools.

What You Should Do

  • Review all public Notion pages within your organization to understand the extent of potential data exposure.
  • Consider unpublishing sensitive public pages or restricting access until Notion implements a permanent fix.
  • Inform employees about the potential for increased phishing and social engineering attempts due to exposed contact information.
  • Implement robust internal security awareness training to help users identify and report suspicious communications.
  • Monitor official Notion communications for updates regarding the vulnerability and the release of a patch.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityHackerPatchphishingSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Google Gemini AI Blocks 8.3 Billion Malicious Ads

Next Post

FUDCrypt Generates Microsoft-Signed Malware With Persistence and C2

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
DuckDuckGo Browser Uses Community Filter Lists to Block YouTube Ads
July 8, 2026
Critical RCE Flaw in Claude Desktop App Lets Attackers Execute Remote Code
July 8, 2026
CrowdStrike Reveals 5 New AI Prompt Injection Techniques
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us