Notion leaks email addresses of all editors of any public page
A critical vulnerability in Notion has been exposed, revealing that public pages leak full names, email addresses, and profile photos of all editors without authentication. This long-standing issue, first reported in 2022 and still active in 2026, highlights significant privacy and security concerns for companies relying on Notion for public documentation. The Hacker News community is abuzz with outrage over the lack of corporate accountability and the inherent risks of centralized data platforms.
The Lowdown
A widely used feature in Notion, public web publishing, is reportedly exposing sensitive personal data of every editor involved with a public page. This is not a new bug, but a fundamental design flaw that has persisted for years despite being reported.
- Data Exposed: Full names, email addresses, and profile photos of all users who have edited a public Notion page are accessible.
- Ease of Access: This data can be retrieved with a single POST request, requiring zero authentication, cookies, or tokens.
- Longevity of Issue: The vulnerability was initially reported in 2022 and remains unaddressed in 2026, implying either negligence or an intentional design decision.
- Notion's Stance: Notion's official help documentation acknowledges that "the webpage’s metadata may include the names, profile photos, and email addresses associated with any Notion users that have contributed to the page," effectively classifying it as a known feature rather than a flaw.
- Impact: This poses a severe privacy risk, especially for companies using Notion for public-facing documentation, potentially exposing employee contact information to anyone with the public page URL.
The persistence and acknowledged nature of this data exposure raise serious questions about Notion's commitment to user privacy and security, forcing users to reconsider the implications of using the platform for sensitive or public information.
The Gossip
Notion's Negligent Narrative
Many commenters expressed shock and frustration at Notion's apparent negligence, particularly given that the issue has been known since at least 2022 and is officially documented as part of the system's metadata. Users recounted personal experiences of being deanonymized and labeled Notion's approach as 'absurd' and 'beyond stupid,' highlighting a perceived lack of care for user privacy.
Corporate Consequences and Calls for Change
A significant portion of the discussion centered on the broader issue of corporate accountability for data breaches and privacy lapses. Commenters argued that companies like Notion face insufficient consequences for not prioritizing security, leading to a lack of incentive to care. There were strong calls for more stringent laws, 'existential fines,' and even jail time for executives, with some noting that consumers effectively 'foot the bill' for such security failures.
Architectural Alternatives and Data Decentralization
The discussion branched into architectural solutions for preventing such leaks, with one user proposing an architecture where user data is stored with the user and only materialized on demand. While this sparked debate about the practicalities and challenges of synchronization and complexity, it underscored a desire for more secure, decentralized approaches to data management and a move away from proprietary solutions for personal notes, with Obsidian and Logseq being mentioned as alternatives.
Product Pedigree and AI Pivots
Some commenters veered into broader criticisms of Notion's product direction and quality. Specific complaints included the company's aggressive pivot to branding itself as an 'AI workplace' and 'AI everything app,' which some felt diluted its original purpose. The quality of Notion's macOS application, described as 'some of the worst software I’ve ever used' due to being a web wrapper, also drew criticism.