AIKIDO-2026-10238
notion-client is vulnerable to Path Traversal
53
Medium Risk
This Affects:
notion-clientTL;DR
Affected versions of this package did not properly validate path parameters (e.g., block_id, page_id, database_id) against path traversal sequences such as .. and URL-encoded variants like %2e%2e, allowing crafted inputs to manipulate the constructed API endpoint. Without strict normalization and validation, an attacker could supply traversal payloads (including double-encoded forms) to alter the resolved request path, potentially accessing unintended resources or bypassing client-side routing constraints. By embedding traversal sequences into path parameters, a malicious user could force the SDK to target different API routes than intended, undermining endpoint integrity and enabling unauthorized data access depending on server-side enforcement.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
notion-client is vulnerable to Path Traversal in versions 0.5.0 - 2.7.0.
How to fix this
Upgrade the notion-client library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant