:

NOTION EXPOSES EDITOR EMAIL ADDRESSES ON PUBLIC PAGES

AI DESK2 MIN READ
SUN, APR 19, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

Notion has leaked the email addresses of all editors on any publicly shared page, according to security researcher findings. The vulnerability exposed editor credentials to anyone with access to a public page's URL.

A security researcher identified a vulnerability in Notion that revealed email addresses of all users with editing permissions on publicly shared pages. The flaw allowed anyone viewing a public Notion page to access a list of editor email addresses through the platform's API or interface. The issue affected all public pages where multiple editors had been granted access, potentially exposing contact information for teams using Notion for collaborative work. Public pages are commonly used for shared databases, project trackers, and documentation that organizations intentionally make viewable to external audiences. Notion users who maintained public pages with editor access faced unintended exposure of their team members' email addresses. This created privacy concerns and potential security risks, as harvested email lists could be used for phishing campaigns or other targeted attacks. The vulnerability was disclosed publicly on Twitter by security researcher @weezerOSINT, generating significant attention on Hacker News where the post received 158 points and 39 comments from the developer community. The incident highlights the complexity of managing permissions in collaborative platforms where public sharing and private access controls must coexist. Users who needed to keep editor information confidential while maintaining public page access faced a security-privacy trade-off. Notion has not yet issued a public statement regarding the timeline for fixing the vulnerability or whether the issue has been patched. Organizations using Notion should review their public page sharing settings and consider whether sensitive editor information remains at risk. This incident adds to a growing list of permission-related vulnerabilities discovered in productivity and collaboration platforms, underscoring the importance of careful access control implementation in cloud-based services.

■ SOURCES

Hacker News

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

Federal prosecutors have unsealed a 2024 indictment charging three Russian nationals and two web hosting services with facilitating cyberattacks and money laundering that victimized cybercrime targets of $62 million.

JUST NOWSecurity Desk

A hacker accessed Suno's source code using stolen employee credentials, revealing that the AI music generator scraped decades of audio from YouTube to train its model.

JUST NOWAI Desk

Criminals can now clone voices with AI in mere seconds, outpacing traditional authentication defenses that banks and financial institutions rely on to prevent fraud.

JUST NOWAI Desk

Five malicious versions of AsyncAPI packages were published to npm, delivering a remote access trojan capable of stealing credentials and sensitive data from developer systems.

JUST NOWDev Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.