NOTION EXPOSES EDITOR EMAIL ADDRESSES ON PUBLIC PAGES

A security researcher identified a vulnerability in Notion that revealed email addresses of all users with editing permissions on publicly shared pages. The flaw allowed anyone viewing a public Notion page to access a list of editor email addresses through the platform's API or interface. The issue affected all public pages where multiple editors had been granted access, potentially exposing contact information for teams using Notion for collaborative work. Public pages are commonly used for shared databases, project trackers, and documentation that organizations intentionally make viewable to external audiences. Notion users who maintained public pages with editor access faced unintended exposure of their team members' email addresses. This created privacy concerns and potential security risks, as harvested email lists could be used for phishing campaigns or other targeted attacks. The vulnerability was disclosed publicly on Twitter by security researcher @weezerOSINT, generating significant attention on Hacker News where the post received 158 points and 39 comments from the developer community. The incident highlights the complexity of managing permissions in collaborative platforms where public sharing and private access controls must coexist. Users who needed to keep editor information confidential while maintaining public page access faced a security-privacy trade-off. Notion has not yet issued a public statement regarding the timeline for fixing the vulnerability or whether the issue has been patched. Organizations using Notion should review their public page sharing settings and consider whether sensitive editor information remains at risk. This incident adds to a growing list of permission-related vulnerabilities discovered in productivity and collaboration platforms, underscoring the importance of careful access control implementation in cloud-based services.