AI for Business

Notion's Unpatched API Leak Exposes Employee Emails on Public Pages

A significant security vulnerability in Notion’s platform has been actively exposing the email addresses of page editors on every publicly shared document. The flaw, which requires no...

Share:

A significant security vulnerability in Notion’s platform has been actively exposing the email addresses of page editors on every publicly shared document. The flaw, which requires no authentication to exploit, was demonstrated this week by security researcher 'impulsive.' Using a simple API call, they extracted the full names, email addresses, and profile photos of editors from Notion’s own public community page.

The issue stems from two API endpoints that lack access controls. One reveals user details, while another can indicate which accounts use password login versus single sign-on, creating a clear vector for targeted phishing campaigns. With thousands of public Notion pages indexed by search engines—from company wikis to public roadmaps—the potential for mass data harvesting is substantial.

Notably, this is not a new discovery. The bug was first reported to Notion via its HackerOne bug bounty program in July 2022. The company classified the report as 'informative' but issued no patch. The researcher's recent submission was marked as a duplicate, confirming the issue remains live over four years after initial disclosure. In internal communications, Notion's security team assigned the flaw a high-severity score of 7.5.

The exposure presents a direct conflict between Notion's design for frictionless collaboration and fundamental data privacy. Employee email addresses constitute personally identifiable information under regulations like GDPR and CCPA. As enterprises increasingly rely on Notion for external-facing content, they may be unintentionally publishing internal staff directories.

The disclosure has sparked intense discussion among technical communities, drawing parallels to recent API leaks at other major software providers. Notion has not issued a public statement or announced a remediation timeline. For now, the burden falls on organizations using the platform to audit their public page settings and assume the associated risk.

Source: Webpronews

Ready to Modernize Your Business?

Get your AI automation roadmap in minutes, not months.

Analyze Your Workflows →
← Back to all articles