Notion Data Leak Exposes Editor Email Addresses Without Authentication

Security researchers have confirmed that any public Notion page now leaks the full names, email addresses, and profile pictures of everyone who has ever edited that page. The flaw requires no authentication, cookies, or API keys, meaning that a simple script can harvest personally identifiable information (PII) from thousands of corporate wikis and personal docs that have been “published to web.”

Technical Walk‑through of the Vulnerability

The problem originates from Notion’s handling of block permissions on published pages. When a user clicks “Publish to web,” the page’s HTML source contains a JSON structure called block_permissions that lists the UUIDs of every editor. Those UUIDs are not masked or encrypted.

Attackers can perform the following steps:

  1. Scrape the public page, extract every editor UUID from the block_permissions field.
  2. Issue a single POST request to the /api/v3/syncRecordValuesMain endpoint, passing the harvested UUIDs as a payload.
  3. Because the endpoint does not enforce any form of authentication, Notion’s backend returns a JSON response that includes:
    • Full name
    • Email address
    • Profile image URL

The entire flow can be scripted in under a minute, making large‑scale data harvesting trivial. An example request (omitted for brevity) would contain a body like:

{
  "requests": [
    {
      "id": "editor‑uuid‑1",
      "table": "notion_user",
      "spaceId": "public‑space-id"
    },
    …
  ]
}

Notion’s response returns an array of user objects with the aforementioned PII fields.

History and Disclosure Timeline

  • July 2022 – The issue was reported on Notion’s HackerOne bounty program. Notion categorized the report as “informative” and did not patch the endpoint.
  • April 19 2026 – Researchers @weezerOSINT and @k1rallik publicized a live demo, showing how a single POST request returns editor emails for a public corporate wiki.
  • April 20 2026 – Notion spokesperson Max Schoening responded on X, initially claiming that the behavior was documented and that users received warnings. Further testing proved the warning dialog absent, prompting an admission that the current design is “unacceptable” and that a fix is under investigation.

Potential Impact for Organizations

Publicly accessible wikis are often used for product documentation, onboarding guides, or marketing FAQs. When every editor’s email address is exposed, threat actors can:

  • Compile targeted phishing campaigns that appear legitimate because they reference internal project names or team structures.
  • Cross‑reference leaked emails with data breaches from other services to enrich attacker profiles.
  • Exploit the information for credential‑stuffing attacks where the email is already known.

Given the low effort required, the exposure could affect tens of thousands of employees across multiple industries.

Notion’s Planned Mitigations

According to internal communications shared by Notion engineers, two primary remediation paths are being evaluated:

  1. Strip PII from public endpoints – Modify /api/v3/syncRecordValuesMain to return only non‑identifying data for requests originating from unauthenticated contexts.
  2. Introduce an email proxy – Similar to GitHub’s approach, replace raw email addresses with anonymized identifiers that only authorized users can resolve.

Both options would require a rollout of new privacy controls in the “Publish to web” UI, such as explicit warnings and opt‑out toggles for exposing editor information.

Immediate Mitigation Steps for Users

Until Notion releases an official patch, organizations should act quickly:

  • Audit every workspace for pages that are published to the web. Notion’s Publish settings page lists active URLs.
  • Unpublish any page that does not require open public access. Use the “Unpublish” button in the page settings.
  • Reduce the editor roster on indispensable public pages. Fewer editors mean fewer exposed email addresses.
  • Implement network‑level monitoring for outbound POST requests to api/v3/syncRecordValuesMain. Unusual spikes could indicate scraping attempts.
  • Stay tuned to Notion’s security advisories for the forthcoming update.

While Notion works on a permanent fix, the disclosed flaw demonstrates how seemingly innocuous “publish” features can become powerful data‑exfiltration vectors when permissions are not rigorously sanitized. Organizations that rely on public Notion pages should treat this as a high‑priority risk and remediate immediately.

Related Articles

Back to top button