Every public Notion page leaks editor emails. No authentication required. Security researcher impulsive (@weezerOSINT) demonstrated it Sunday with a simple POST request, pulling full names, emails, and profile photos from Notion’s own community page.
He targeted the permissions block. Grabbed 13 user UUIDs. Fed them into the /api/v3/syncRecordValuesMain endpoint. Back came 12 emails: Notion staffers, a production service account at [email protected], one external contractor. All exposed. From one public page.
Notion pages litter the web. Company wikis. Job postings. Onboarding docs. A Google search for site:www.notion.so yields thousands. Each one hands over editor details to anyone with curl and the right payload. Enterprise teams sharing publicly? Picture 500 employee emails in a single call. No rate limits. Batch up 50 users at a time.
And it gets worse. Pair this with Notion’s getLoginOptions endpoint—also zero auth. Spot who uses passwords versus SSO. Prime targets for credential stuffing. Spam campaigns. Phishing tailored to real corporate domains.
Reported Years Ago, Still Live
The bug surfaced on HackerOne July 28, 2022. Notion called it “informative.” No patch. No CVE. No payout. Impulsive rediscovered it independently. Reported again. Duplicate status. Tested April 19, 2026. Same endpoints. Emails flow freely.
Notion’s security team rated it high severity—7.5 score. They know the risk. Yet it lingers. “This 11 billion dollar company made a business decision to leave customer PII exposed,” impulsive posted in the thread.
Emails count as PII. GDPR says so. CCPA. NIST definitions too. Notion’s privacy policy labels them personal data. One reply dismissed it: “Emails are generally not considered PII.” Impulsive fired back with the regs. No opt-out for editors. No disclosure. Edit a page. Your real email goes public via API. Unlike Git commits, where users pick noreply addresses.
Public Notion use exploded. Enterprises rely on it for shared knowledge bases. HR portals. Public roadmaps. Thousands of workspaces expose staff without realizing. A single viral wiki? Instant employee directory for attackers.
Impulsive urged checks: Review sharing settings now. But why the inaction? Notion triaged it low. Perhaps public pages demand open perms for collaboration. Fixing means blocking unauth lookups—breaking embeds? Guest views? Trade-offs in a product prized for frictionless sharing.
Ripples Across Tech, Echoes in Hacker News
The thread blew up. 661 likes. 53,000 views by evening. Hacker News lit up, listing it among top stories Sunday (Hacker News). Debates raged: Bug or feature? PII or not? Some likened it to GitHub commits. Others saw clear violation.
No mainstream coverage yet. The story broke too fresh—April 19 post, current date matching. But it mirrors API leaks plaguing SaaS. BrowserStack drew fire recently for similar slips (Hacker News). Firebase keys spiked €54k bills via unrestricted Gemini access (Hacker News). Patterns emerge. Public endpoints. Forgotten perms. Billions in valuations, yet basics slip.
Notion hasn’t responded publicly. @NotionHQ silent on X. No patch announced. Users scramble. Security teams audit public pages. CISOs rethink wiki tools. Impulsive’s demo code floats around replies—proof for the paranoid to test themselves.
Short fix? Block unauth user resolution. Or scrub emails from public perms. But Notion’s scale complicates it. Millions of pages. Legacy edits. One change ripples wide. Meanwhile, attackers script crawlers. Harvest domains. Fuel breaches.
Industry insiders know: Sharing beats silos. Until it doesn’t. Notion built an empire on easy collab. This flaw tests that bet. Four years unresolved. Employees exposed. Will pressure force a patch? Or stay “informative” forever?
Check your Notion shares. Today.
WebProNews is an iEntry Publication