As the OSINT researcher who disclosed the vulnerability, weezerOSINT demonstrated that Notion's API responses for public pages include full editor email addresses in plaintext JSON, requiring no authentication to access. The disclosure highlights that this affects every public Notion page, making it trivial to scrape verified email addresses tied to specific organizations and documents.
The editorial emphasizes that with 30+ million Notion users and public pages used for company wikis, investor updates, and product roadmaps, the exposure creates a spear-phishing goldmine. An attacker can correlate email addresses with specific document contexts — knowing exactly who edited sensitive financial or strategic documents — making targeted social engineering attacks far more effective.
The editorial explicitly distinguishes this from traditional vulnerabilities like buffer overflows or injection attacks, characterizing it instead as a design choice. Notion's architecture bundles editor identity into the page content payload, so when a page is made public, all editor metadata is exposed by default — the leak is structural rather than a bug to be patched.
The disclosure demonstrates that harvesting the leaked data requires no special tools — just opening browser DevTools on any public Notion page reveals editor emails in network responses. Combined with Notion's predictable public page URL patterns and unauthenticated API endpoints, a single automated script could harvest millions of verified, active email addresses at scale.
OSINT researcher @weezerOSINT disclosed that Notion's public page infrastructure leaks the email addresses of every user who has ever edited a publicly shared page. The disclosure, posted on Twitter and quickly picked up by Hacker News where it reached a score of 360, reveals that Notion's API responses for public pages include full editor email addresses in the JSON payload — no authentication required.
The mechanism is straightforward: when anyone visits a public Notion page, the browser makes API calls to Notion's backend to fetch page content and metadata. Embedded in those responses are user objects for each editor, complete with email addresses. You don't need to reverse-engineer anything. Open DevTools, look at the network tab, and the emails are right there in plaintext JSON.
This isn't a buffer overflow or an injection attack. It's a design choice — Notion's data model treats editor identity as part of the page payload, and when a page is published publicly, that payload goes with it.
The scale of exposure is what elevates this from a curiosity to a serious incident. Notion is used by an estimated 30+ million users across hundreds of thousands of organizations. Public Notion pages are everywhere: company wikis, engineering documentation, job boards, product roadmaps, investor updates, course materials, community resources. Every single one of these pages has been silently broadcasting the email addresses of everyone who touched them.
For a motivated scraper, this is trivial to automate. Notion's public page URLs follow predictable patterns, and the API endpoints that serve content don't require authentication. A single script could harvest millions of verified, active email addresses — each one tied to a specific organization and document context. That's not just a spam list; it's a spear-phishing goldmine. An attacker knows that jane.doe@acme.com edited a page about Q3 financial projections, which makes for a far more convincing pretext than a cold email.
The OSINT implications are equally concerning. Journalists, activists, anonymous contributors, and whistleblowers who edited Notion pages under the assumption that "Share to web" meant "share the content, not my identity" are now retroactively exposed. There is no audit log available to editors telling them which public pages have leaked their email, and no way to retroactively scrub that exposure.
This also raises questions about Notion's GDPR and CCPA compliance posture. Email addresses are personally identifiable information. Publishing them to the open internet without explicit consent from the data subjects — the editors — is at minimum a gray area under both frameworks, and likely a clear violation under stricter interpretations. Notion's privacy policy covers how they handle data you put *into* pages, but editor metadata leaking through API responses is a different category entirely.
What makes this particularly instructive for engineers is that it's a classic case of an internal data model leaking through an external interface. Notion's architecture was presumably designed with the assumption that API consumers would be authenticated users with legitimate access to editor metadata. When the "Share to web" feature was built, the public-facing API likely reused the same response format — user objects and all — without stripping sensitive fields.
This is the same class of bug that has bitten dozens of SaaS companies: internal APIs that become external APIs without a serialization boundary review. The fix is conceptually simple — strip or anonymize user objects in public page responses — but the architectural debt that led here is worth examining. If your API responses include user objects, and you ever serve those responses to unauthenticated contexts, you have the same vulnerability.
The Hacker News discussion surfaced several related examples. Multiple commenters noted that similar issues have existed in Google Docs (resolved years ago), Confluence public pages, and various wiki platforms. The pattern is consistent: collaboration tools built for internal use bolt on public sharing as a feature, and the permission model doesn't fully account for the shift from "shared within a trusted group" to "shared with the entire internet."
If you use Notion for public pages, audit them immediately. The exposure is not theoretical — any page you've published to the web has been leaking editor emails since it was published. If those pages were edited by employees with corporate email addresses, those addresses are now in the wild. Consider:
1. Unpublish non-essential public pages until Notion confirms a fix. 2. Move public content to dedicated accounts with non-sensitive email addresses (e.g., docs@yourcompany.com) if you need pages to stay live. 3. Alert your security team — if editor emails have been scraped, expect targeted phishing attempts that reference specific Notion documents.
If you build SaaS with public sharing features, treat this as a case study. Audit every API endpoint that can be reached without authentication and verify that response payloads don't include user PII that was only intended for authenticated contexts. This means:
- Maintain separate serializers for public vs. authenticated responses - Never reuse internal user objects in public-facing payloads - Include automated tests that fetch public endpoints and assert the absence of email fields, user IDs, and other PII
If you're in security or compliance, document this as a data exposure event. Depending on your jurisdiction, you may have notification obligations if employee PII was exposed through a third-party tool.
Notion has not yet issued a public response as of this writing, though the velocity of community attention — 360+ points on Hacker News and widespread social media coverage — typically accelerates vendor response timelines. The technical fix is straightforward: strip user email addresses from public API responses and replace editor identities with anonymized or first-name-only representations. The harder question is retroactive: how many emails have already been scraped, and does Notion owe its users disclosure? For the broader SaaS ecosystem, this is another reminder that "Share to web" is one of the most dangerous features you can ship — not because sharing is wrong, but because the blast radius of a permissions model mismatch scales with your entire user base.
Recently I checked back on Notion after a year or so of not seeing it. I was going to recommend it to someone as an example of hypertext, but I see now it calls itself an "AI workplace that works for you" and "Your AI everything app". This company means nothing now, seriously wha
Hi, this is Max from Notion.First: This is documented and we also warn users when they publish a page. But, that’s not good enough!Second: We don’t like this and are looking at ways to fix this either by removing the PII from the public endpoints or by replacing it with an email proxy similar to Git
It has been an issue for at least 5 years. I remember one dude from HN deanonymized me around 5 years ago by looking at my notion page.
Very timely. I literally ran a Claude prompt "compare and contrast Notion vs Obsidian" and flipped over to HN while it was thinking, and this comes up. Thanks HN!
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Apparently this is officially documented at https://www.notion.com/help/public-pages-and-web-publishing#... buried in a note:> When you publish a Notion page to the web, the webpage’s metadata may include the names, profile photos, and email addresses associated with any Notio