Notion has leaked the email addresses of all editors on any publicly shared page, according to security researcher findings. The vulnerability exposed editor credentials to anyone with access to a public page's URL.
A security researcher identified a vulnerability in Notion that revealed email addresses of all users with editing permissions on publicly shared pages. The flaw allowed anyone viewing a public Notion page to access a list of editor email addresses through the platform's API or interface.
The issue affected all public pages where multiple editors had been granted access, potentially exposing contact information for teams using Notion for collaborative work. Public pages are commonly used for shared databases, project trackers, and documentation that organizations intentionally make viewable to external audiences.
Notion users who maintained public pages with editor access faced unintended exposure of their team members' email addresses. This created privacy concerns and potential security risks, as harvested email lists could be used for phishing campaigns or other targeted attacks.
The vulnerability was disclosed publicly on Twitter by security researcher @weezerOSINT, generating significant attention on Hacker News where the post received 158 points and 39 comments from the developer community.
The incident highlights the complexity of managing permissions in collaborative platforms where public sharing and private access controls must coexist. Users who needed to keep editor information confidential while maintaining public page access faced a security-privacy trade-off.
Notion has not yet issued a public statement regarding the timeline for fixing the vulnerability or whether the issue has been patched. Organizations using Notion should review their public page sharing settings and consider whether sensitive editor information remains at risk.
This incident adds to a growing list of permission-related vulnerabilities discovered in productivity and collaboration platforms, underscoring the importance of careful access control implementation in cloud-based services.
Federal prosecutors have unsealed a 2024 indictment charging three Russian nationals and two web hosting services with facilitating cyberattacks and money laundering that victimized cybercrime targets of $62 million.
A hacker accessed Suno's source code using stolen employee credentials, revealing that the AI music generator scraped decades of audio from YouTube to train its model.
Criminals can now clone voices with AI in mere seconds, outpacing traditional authentication defenses that banks and financial institutions rely on to prevent fraud.
Five malicious versions of AsyncAPI packages were published to npm, delivering a remote access trojan capable of stealing credentials and sensitive data from developer systems.