{"id":12247,"date":"2026-04-20T10:03:49","date_gmt":"2026-04-20T10:03:49","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/20\/public-notion-pages-leaks-profile-photos-and-email-address-of-editors\/"},"modified":"2026-04-20T10:03:49","modified_gmt":"2026-04-20T10:03:49","slug":"public-notion-pages-leaks-profile-photos-and-email-address-of-editors","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/20\/public-notion-pages-leaks-profile-photos-and-email-address-of-editors\/","title":{"rendered":"Public Notion Pages Leaks Profile Photos and Email address of Editors"},"content":{"rendered":"<p>    Public Notion Pages Leaks Profile Photos and Email address of Editors<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Notion, a popular productivity and collaboration platform, is under significant scrutiny from the cybersecurity community.<\/p>\n<p>Security researchers have revealed that public Notion pages silently expose the personally identifiable information (PII) of anyone who has ever edited them.<\/p>\n<p>This <a href=\"https:\/\/cybersecuritynews.com\/instagram-data-leak-exposes-sensitive-info-of-17-5m-accounts\/\" target=\"_blank\" rel=\"noreferrer noopener\">data leak includes full names, email addresses, and profile photos<\/a>, raising significant privacy concerns for organizations that rely on the platform for public documentation.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-notion-pages-exposes-user-data\">\n<strong>Notion Pages Exposes<\/strong> <strong>User Data<\/strong><br \/>\n<\/h2>\n<p>The underlying vulnerability stems from how Notion processes user data within public workspaces.<\/p>\n<p>When a document is published to the web, the platform <a href=\"https:\/\/cybersecuritynews.com\/new-phishing-attack-bypasses-using-uuids-unique\/\" target=\"_blank\" rel=\"noreferrer noopener\">embeds editor UUIDs (Universally Unique Identifiers)<\/a> directly into the page\u2019s block permissions.<\/p>\n<p>Threat actors and open-source intelligence (OSINT) researchers discovered that these internal identifiers are readily accessible in the page data without requiring any authentication, <a href=\"https:\/\/cybersecuritynews.com\/vvs-stealer-attacking-discord-users\/\" target=\"_blank\" rel=\"noreferrer noopener\">active session cookies, or security tokens<\/a>.<\/p>\n<p>Once these UUIDs are harvested, an attacker can feed them into a single unauthenticated POST request to Notion\u2019s internal API endpoint:\u00a0<code>\/api\/v3\/syncRecordValuesMain.<\/code><\/p>\n<p>Because this endpoint does not enforce access controls for public page data, it returns the complete user profiles associated with those UUIDs.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">every public Notion page is leaking the email addresses of everyone who edited it.<\/p>\n<p>zero authentication. no cookies. no tokens. one POST request returns full names, emails, and profile photos for every editor on the page.<\/p>\n<p>your company wiki is public? every employee&#8217;s email is\u2026 <a href=\"https:\/\/t.co\/jqWSCVBoyH\">pic.twitter.com\/jqWSCVBoyH<\/a><\/p>\n<p>\u2014 impulsive (@weezerOSINT) <a href=\"https:\/\/twitter.com\/weezerOSINT\/status\/2045849358462222720?ref_src=twsrc%5Etfw\">April 19, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>Consequently, a public company wiki or open-source project board can inadvertently expose the exact contact details of every employee or contributor who interacts with the document.<\/p>\n<p>The most controversial aspect of this exposure is its long, unresolved timeline. According to security researchers, this exact API behavior was responsibly disclosed to Notion through <span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">the<a href=\"https:\/\/cybersecuritynews.com\/hackerone-data-breach\/\" target=\"_blank\" rel=\"noopener\">\u00a0HackerOne<\/a><\/span><a href=\"https:\/\/cybersecuritynews.com\/hackerone-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\"> bug bounty program<\/a> in July 2022.<\/p>\n<p>At the time, Notion\u2019s security team triaged the submission as merely \u201cinformative\u201d. It closed the report as out of scope without implementing a structural patch.<\/p>\n<p>The <a href=\"https:\/\/x.com\/i\/trending\/2045988234212024677\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">issue recently resurfaced on X<\/a>, sparking outrage among developers and cybersecurity professionals. Many paying subscribers expressed extreme frustration with the platform\u2019s perceived negligence, noting that an issue ignored for nearly 4 years leaves thousands <span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">of<a href=\"https:\/\/cybersecuritynews.com\/data-scraping-the-key-to-successful-e-commerce-business\/\" target=\"_blank\" rel=\"noopener\">\u00a0indexable<\/a><\/span><a href=\"https:\/\/cybersecuritynews.com\/data-scraping-the-key-to-successful-e-commerce-business\/\" target=\"_blank\" rel=\"noreferrer noopener\"> pages vulnerable to scraping.<\/a><\/p>\n<p>Security experts emphasized that this exposed data creates a massive attack surface for targeted <a href=\"https:\/\/cybersecuritynews.com\/clickfix-protection-macos-tahoe-26-4\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing campaigns and social engineering attacks <\/a>against corporate targets.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-official-response-and-proposed-mitigations\"><strong>Official Response and Proposed Mitigations<\/strong><\/h2>\n<p>Following the intense public backlash, Notion has formally acknowledged the problem. Notion representative Max Schoening addressed the community\u2019s concerns, noting that the platform provides user warnings about data visibility when a page is published to the web.<\/p>\n<p>However, recognizing that this design choice poses unacceptable security risks, Notion is now working on a permanent architectural fix.<\/p>\n<p>The engineering team plans to either strip PII completely from public-facing endpoints <span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">or<a href=\"https:\/\/cybersecuritynews.com\/chinese-apt-hackers-using-proxy-and-vpn\/\" target=\"_blank\" rel=\"noopener\">\u00a0implement<\/a><\/span><a href=\"https:\/\/cybersecuritynews.com\/chinese-apt-hackers-using-proxy-and-vpn\/\" target=\"_blank\" rel=\"noreferrer noopener\"> an email proxy system to mask user addresses.<\/a><\/p>\n<p>In the meantime, organizations using Notion for public-facing resources should remain vigilant, as their employee contact information may already be indexed and accessible to automated scraping tools.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/notion-pages-exposes-editors-data\/\">Public Notion Pages Leaks Profile Photos and Email address of Editors<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/notion-pages-exposes-editors-data\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Public Notion Pages Leaks Profile Photos and Email address of Editors Notion, a popular productivity and collaboration platform, is under significant scrutiny from the cybersecurity community. Security researchers have revealed that public Notion pages silently expose the personally identifiable information (PII) of anyone who has ever edited them. This data leak includes full names, email [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,1738],"tags":[130],"class_list":["post-12247","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-data-leak","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12247"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12247"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12247\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}