Public Notion Pages Expose Profile Photos and Email Addresses of Editors

A serious data exposure issue has been discovered in Notion, a widely used productivity and collaboration platform, potentially putting thousands of users and organizations at risk.

Security researchers have revealed that public Notion pages can unintentionally expose sensitive personal information of editors, including full names, email addresses, and profile photos, without requiring authentication.

The issue affects any page published using Notion’s “Publish to web” feature. These pages are often used for public documentation, company wikis, and knowledge bases.

However, researchers found that such pages can be easily scraped, making them a valuable target for threat actors seeking data for phishing or social engineering attacks.

How the Exposure Works

According to findings shared by researchers on X, the vulnerability originates from how Notion manages block permissions in publicly shared pages.

https://twitter.com/weezerOSINT/status/2045849358462222720?ref_src=twsrc%5Etfw

When a page is published, the platform exposes hidden metadata in the page source, including Universal Unique Identifiers (UUIDs) of all editors.

Attackers can extract these UUIDs directly from the page’s source code. Using this data, they can send a simple POST request to Notion’s internal API endpoint:

• /api/v3/syncRecordValuesMain

Notably, this endpoint does not require authentication, cookies, or access tokens. In response, the server returns detailed Personally Identifiable Information (PII), including:

• Full names of editors
• Email addresses
• Profile images

This makes it trivial for attackers to automate large-scale data collection across publicly accessible Notion pages.

The vulnerability is not new. It was initially reported through HackerOne in July 2022 but was classified as “informative,” resulting in no immediate fix.

The issue resurfaced after researchers such as @weezerOSINT and @k1rallik demonstrated active exploitation risks, sparking widespread concern in the security community.

Notion initially stated that users were warned about potential exposure when publishing pages.

However, recent tests by researchers showed that no such warnings appear in the publishing interface, contradicting those claims.

Following public criticism, Notion acknowledged the issue. Company representative Max Schoening confirmed that the current behavior is unacceptable and that the team is actively working on a solution.

Notion developers are considering fixes such as removing PII from public API responses or introducing an email masking system similar to GitHub’s.

Until a patch is released, users and organizations are advised to take immediate precautions:

• Review all publicly shared Notion pages
• Unpublish pages containing sensitive or internal information
• Limit the number of editors on public documents
• Monitor official Notion security updates

This incident highlights the risks of exposing collaboration platforms to the public internet without fully understanding underlying data flows, especially as attackers increasingly exploit misconfigured APIs and metadata leaks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Public Notion Pages Expose Profile Photos and Email Addresses of Editors appeared first on Cyber Security News.