:

NOTION EXPOSES EDITOR EMAIL ADDRESSES ON PUBLIC PAGES

AI DESK2 MIN READ
SUN, APR 19, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

Notion has leaked the email addresses of all editors on any publicly shared page, according to security researcher findings. The vulnerability exposed editor credentials to anyone with access to a public page's URL.

A security researcher identified a vulnerability in Notion that revealed email addresses of all users with editing permissions on publicly shared pages. The flaw allowed anyone viewing a public Notion page to access a list of editor email addresses through the platform's API or interface. The issue affected all public pages where multiple editors had been granted access, potentially exposing contact information for teams using Notion for collaborative work. Public pages are commonly used for shared databases, project trackers, and documentation that organizations intentionally make viewable to external audiences. Notion users who maintained public pages with editor access faced unintended exposure of their team members' email addresses. This created privacy concerns and potential security risks, as harvested email lists could be used for phishing campaigns or other targeted attacks. The vulnerability was disclosed publicly on Twitter by security researcher @weezerOSINT, generating significant attention on Hacker News where the post received 158 points and 39 comments from the developer community. The incident highlights the complexity of managing permissions in collaborative platforms where public sharing and private access controls must coexist. Users who needed to keep editor information confidential while maintaining public page access faced a security-privacy trade-off. Notion has not yet issued a public statement regarding the timeline for fixing the vulnerability or whether the issue has been patched. Organizations using Notion should review their public page sharing settings and consider whether sensitive editor information remains at risk. This incident adds to a growing list of permission-related vulnerabilities discovered in productivity and collaboration platforms, underscoring the importance of careful access control implementation in cloud-based services.

■ SOURCES

Hacker News

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

A new browser fingerprinting vector has emerged in Chromium 148, where the Math.tanh function produces different results across operating systems. This discrepancy can be exploited to identify a user's underlying OS without explicit permission.

JUST NOWIndustry Desk

Kaseya is hosting a webinar on strengthening MSP resilience through SaaS backups and business continuity strategies. The session focuses on how recovery capabilities prove critical when security defenses are breached.

5H AGOSecurity Desk

A new variant of RedHook Android malware abuses Wireless ADB (Android Wireless Debugging) to gain shell-level privileges without requiring a computer connection. This represents a significant escalation in the malware's capabilities.

6H AGOSecurity Desk

Fraudsters are creating convincing counterfeit news articles impersonating major publishers like the Guardian to direct social media users to bogus investment sites. The fake stories feature fabricated celebrity endorsements and financial narratives designed to establish credibility.

11H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.