Notion Public Pages Exposed Editor Profile Photos and Emails
Key Takeaways Notion’s public pages have been exposing the full names, email addresses, and profile photos of anyone who has edited them. This vulnerability stems from internal editor UUIDs...
Key Takeaways
- Notion’s public pages have been exposing the full names, email addresses, and profile photos of anyone who has edited them.
- This vulnerability stems from internal editor UUIDs embedded in public page data, accessible without authentication.
- The issue, originally reported in July 2022, was triaged as “informative” and remained unpatched for nearly four years.
- The exposed data significantly increases the risk of sophisticated phishing and social engineering attacks against Notion users and organizations.
- Notion has acknowledged the problem and is developing a fix to either remove PII from public endpoints or implement an email proxy.
Notion, a widely adopted platform for productivity and collaboration, is currently facing intense scrutiny from the cybersecurity community. Reports indicate that public Notion pages have been inadvertently exposing the profile photos and email addresses of editors, sparking significant privacy concerns for both individual users and organizations.
Table Of Content
Security researchers have highlighted that any public Notion page silently reveals personally identifiable information (PII) for all individuals who have contributed to its content.
This data exposure encompasses full names, email addresses, and profile pictures, creating substantial privacy risks, particularly for enterprises that leverage Notion for public-facing documentation.
Notion Pages Expose User Data
The core of this vulnerability lies in Notion’s method of processing user data within public workspaces. When a document is published to the web, the platform embeds unique editor identifiers (UUIDs) directly into the page’s block permissions.
Threat actors and open-source intelligence (OSINT) researchers discovered that these internal identifiers are easily retrievable from the page data without requiring any form of authentication, active session cookies, or security tokens.
Once these UUIDs are collected, an attacker can submit them via a single unauthenticated POST request to Notion’s internal API endpoint: /api/v3/syncRecordValuesMain.
Because this endpoint lacks access controls for public page data, it subsequently returns the complete user profiles linked to those UUIDs.
every public Notion page is leaking the email addresses of everyone who edited it.
zero authentication. no cookies. no tokens. one POST request returns full names, emails, and profile photos for every editor on the page.
your company wiki is public? every employee’s email is… pic.twitter.com/jqWSCVBoyH
— impulsive (@weezerOSINT) April 19, 2026
As a result, a company’s public wiki or an open-source project board hosted on Notion could inadvertently expose the precise contact information of every employee or contributor involved with the document.
A particularly contentious aspect of this exposure is its prolonged, unaddressed history. According to security researchers, the exact API behavior leading to this data leak was responsibly disclosed to Notion via the HackerOne bug bounty program in July 2022.
At that time, Notion’s security team classified the submission as merely “informative” and closed the report as out of scope, without implementing a structural patch.
The issue recently resurfaced on X, igniting widespread indignation among developers and cybersecurity professionals. Many paying subscribers expressed severe dissatisfaction with the platform’s perceived negligence, noting that an unaddressed vulnerability for nearly four years has left thousands of indexable pages susceptible to data scraping.
Security experts have underscored that this exposed data significantly expands the attack surface for highly targeted phishing campaigns and sophisticated social engineering attacks aimed at corporate entities.
Official Response and Proposed Mitigations
Following the intense public reaction, Notion has officially acknowledged the problem. Max Schoening, a Notion representative, addressed the community’s concerns, stating that the platform does provide users with warnings regarding data visibility when a page is published to the web.
However, acknowledging that this design choice presents unacceptable security risks, Notion is now actively working on a permanent architectural solution.
The engineering team plans to either completely remove PII from public-facing endpoints or implement an email proxy system to mask user addresses.
In the interim, organizations utilizing Notion for publicly accessible resources should exercise heightened vigilance, as their employees’ contact information may already be indexed and available to automated scraping tools.
What You Should Do
- Review all public Notion pages within your organization to understand the extent of potential data exposure.
- Consider unpublishing sensitive public pages or restricting access until Notion implements a permanent fix.
- Inform employees about the potential for increased phishing and social engineering attempts due to exposed contact information.
- Implement robust internal security awareness training to help users identify and report suspicious communications.
- Monitor official Notion communications for updates regarding the vulnerability and the release of a patch.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.