Notion's Public Pages Leak Editor Emails: A Persistent Security Flaw

Every public Notion page is inadvertently exposing the email addresses of its editors due to a flaw in their API. Without requiring authentication, a simple POST request can reveal full names, emails, and profile photos of everyone who has edited a page. This vulnerability was reported in 2022 but remains unfixed in 2026, raising questions about the effectiveness of Notion's bug bounty program.

The API exposes editor UUIDs in the permissions of any public page, allowing anyone to retrieve user IDs and subsequently obtain emails via the /api/v3/syncRecordValuesMain endpoint. This issue is widespread, affecting company wikis, job boards, and public documents, potentially leaking hundreds of corporate emails in a single batch request.

Despite being reported on HackerOne, Notion categorized the issue as 'informative' and did not provide a fix or a CVE. The flaw persists, leaving emails exposed and highlighting a significant oversight in handling personal data, which is considered PII under GDPR, CCPA, and NIST.

Notion's decision not to address this vulnerability reflects a concerning disregard for user privacy. Editors' emails are exposed without their consent, contrasting with other platforms where users can choose to use a noreply address. Notion's own security team acknowledged the issue but did not prioritize a solution.

This situation underscores the importance of reviewing sharing settings for public Notion pages to protect sensitive information. The ongoing exposure of personal data raises critical questions about data privacy and corporate responsibility in the digital age.