How Safe Are Your Sensitive Documents with PandaDoc? A Closer Look

Lohith Gowda M
3 min readApr 19


As more and more businesses move their operations online, there is a growing need for secure document management solutions. One such solution is PandaDoc, which allows businesses to create, send, and sign documents online. However, If the PandaDoc customers misconfigured the security settings on the application, the whole Internal Documents can be accessed by Public users.

Through my research, I was able to access PandaDoc customer-sensitive documents such as NDA and Internal Documents. This was a significant concern, as it meant that anyone with the URL could potentially access these confidential documents without the owner’s knowledge or consent.

The Impact of the PandaDoc Misconfiguration:

The impact of this misconfiguration is that an attacker could have gained access to sensitive documents and data. The most obvious way this would have affected customers is if they had used PandaDoc as a repository for their sensitive documents, such as contracts or financial records.

How did I discover the misconfiguration in Pandadoc’s application?

  • In one of my Private projects, Company shared an NDA document for the e-Sign process
  • I have signed the document and shared it with Company
  • I was surprised, because without authentication How I got access?

Interesting right…?

  • Yes, Without any authentication, I have accessed the NDA document for e-sign. But it's a regular process for e-sign.
  • Currently, I have the PandaDoc NDA document URL. It's Accessible to anyone with the URL.
  • Then I navigated to the Wayback Machine for further research.

Here I found so many PandaDoc customers' Internal Documents exposed through WayBack Crawler.

Wayback Machine History

I have gone through the few URLs, I am able to access PandaDoc customers' Internal Documents like NDA, Payments Invoices, Emails, Phone Numbers etc.

PandaDoc Exposed Document
User Email, Mobile Number

To ensure the safety and privacy of Pandadoc’s customers, I immediately reported the issue to the company’s security team through HackerOne. But, they closed this issue as Informative. Once you share the documents with the public, PandaDoc doesn’t have control. That’s why they are recommending these settings on your Dashboard.

Enable the Recipient verification settings on your Company Dashboard and also enable it whenever you’re creating a new document. Then you can share the password with the client. So, using this method organizations can protect their Sensitive Documents from public access.

Thanks for reading!….Happy Hacking!

Linkedin: Lohith Gowda M

Twitter: lohigowda_in





Lohith Gowda M

Senior Security Engineer @Plivo