How Notion Leaks Editors’ Email Addresses — and What You Should Do

# How Notion Leaks Editors’ Email Addresses — and What You Should Do

Notion can leak editors’ names, email addresses, and profile photos from pages shared via “Publish to web” because public page HTML can contain editors’ internal UUIDs, and an unauthenticated Notion API call can resolve those UUIDs into personal data—meaning anyone who can view the page source can potentially extract a contributor list and fetch the associated metadata with a single request.

What happened (and why it matters)

Recent investigations describe a “silent privacy flaw” in Notion’s public pages: the rendered page may look harmless, but the page source can include identifiers for “everyone who ever edited” that page. Those identifiers aren’t necessarily visible in the content, yet they can be scraped. The second part of the issue is more serious: an unauthenticated request to Notion’s /api/v3/syncRecordValuesMain endpoint can return a JSON payload containing full names, email addresses, and avatar URLs tied to those identifiers—no login required.

That combination turns a sharing convenience into an unexpected exposure mechanism. Coverage characterizes it as a potential “phishing goldmine” because it can reveal direct contact information for employees or contributors who never intended to publish their identity alongside a public doc.

How the leak works: a short technical walkthrough

The reports converge on a simple chain:

1. A Notion page is published to the web.

When a workspace user enables “Publish to web,” the resulting public URL serves an HTML page that includes embedded metadata and JSON blobs used by Notion’s client-side code.

1. Editor UUIDs appear in the page source.

Those internal identifiers—typically long, UUID-like hex strings—may represent users who edited the page at any point. They’re not necessarily shown on the page itself, but they can be found by viewing the HTML source (for example via Ctrl/Cmd+U) and searching around embedded data.

1. A single unauthenticated POST resolves UUID → PII.

Using the scraped UUIDs, an attacker can send an unauthenticated POST request to /api/v3/syncRecordValuesMain. As documented in coverage and proofs-of-concept, the response can include names, emails, and profile photos associated with those user IDs.

The root causes described in the reporting are straightforward: (1) public pages expose backend identifiers client-side, and (2) an API endpoint resolves those identifiers to personally identifiable information without authentication or authorization.

Who is affected, and what the real-world risks look like

According to the sources, any Notion page published via “Publish to web” is potentially affected, with the highest risk concentrated in organizations that use Notion as a public-facing documentation platform—think product docs, engineering handbooks, research notes, or knowledge bases that many employees touch.

The exposed dataset can include:

• Full names
• Email addresses
• Profile photos (avatar URLs)
• The historical set of editors: “everyone who ever edited” (not just current collaborators)

That last point matters operationally. Even if a page is now maintained by a small team, the leak can reveal people who contributed briefly long ago—interns, contractors, former employees—creating privacy and reputational risk for people no longer associated with the work.

The practical threats highlighted include targeted phishing, social engineering, doxxing, and unwanted contact. A convincing phish often starts with: “I saw you edited X…” This bug can supply both the context (the public doc) and the direct contact info (email + photo) to make such messages more believable.

Timeline and why this is news again

The current wave of attention traces to April 19, 2026, when researchers publicly demonstrated working exploitation, notably including @weezerOSINT, and proofs-of-concept spread on social platforms and Hacker News. Multiple write-ups emphasize how easily the method can be automated: scrape the UUIDs, send a single POST, collect results.

The same coverage also notes the issue was reportedly first reported to Notion in July 2022 and categorized as “informative,” with the behavior still reportedly present as of April 2026. That gap—early report, no visible remediation—helped fuel renewed scrutiny once viral demonstrations made the impact legible to non-specialists.

How to check whether you’re exposed

If you’re a user or admin trying to assess risk, the reporting suggests a few pragmatic checks:

• Inspect any public Notion pages your org controls.

Open the published page, view the page source, and search for UUID-like strings (long hex/UUID patterns) and editor-related keys in embedded JSON blobs.

• Cross-check who has edited the page historically.

The risk isn’t limited to current collaborators. If a public page has had many editors over time, the exposure surface grows.

• Scale carefully for many pages.

If you manage a large set of published pages, coverage notes that scanning can be scripted (and some public PoCs exist). Do this within your organization’s legal/ethical boundaries and policy—especially since the technique can be misused.

For adjacent reading on how small implementation details create big security consequences, see Today’s TechScan: From Vercel Breach to Voyager Power Cuts.

Immediate steps for users and workspace admins

The sources outline mitigations you can take now, even before any vendor-side fix lands.

For individual users

• Avoid editing public pages if you don’t want your identity linked to them via email/photo metadata.
• If you believe your email is exposed, ask workspace admins to review the page’s publishing status and editorial history.

For workspace admins

• Audit all “Publish to web” pages. Identify which ones truly need to be public.
• Unpublish pages that don’t need public access, at least temporarily.
• Where feasible, remove unnecessary historical editors from sensitive public pages (coverage frames this as a practical mitigation, though organizations may have process constraints).
• Treat exposed emails as potentially harvested: warn staff about phishing, and reinforce caution around unsolicited messages that reference Notion documents or editing activity.
• Consider whether any shared inboxes or internal contact addresses inadvertently exposed should be rotated.

For a broader look at operational “what to do next” thinking after a vendor incident, this explainer format may be helpful: What Happened in Vercel’s April 2026 Breach — and What Developers Should Do.

Why It Matters Now

April 2026 coverage argues the risk has shifted from theoretical to practical because the exploit has been widely demonstrated, with clear step-by-step reproduction: extract UUIDs from a public page and submit one unauthenticated API call. That simplicity, plus the fact that the leak is silent (it doesn’t show up in the page itself), makes it easy for organizations to miss—while still being easy for attackers to automate at scale.

The renewed attention also reflects frustration that the issue was reportedly raised in 2022 yet still appeared unpatched in 2026. For teams using Notion as public documentation infrastructure, that combination—high exposure potential, low detection visibility, and viral PoCs—creates immediate pressure to audit and reduce risk.

What to Watch

• Notion’s official response: security advisories, API behavior changes, or a patch that either (a) requires authentication/authorization for UUID-to-PII resolution, or (b) removes/redacts editor identifiers and personal metadata from public pages.
• Signals of active abuse: phishing or doxxing campaigns that reference Notion edits or use avatar images to increase credibility.
• Community detection tooling: scripts or scanners that help organizations locate affected public pages and embedded identifiers—useful for defenders, but also an indicator of how commoditized exploitation has become.

Sources: https://netcrook.com/notion-public-pages-leak-editor-emails-photos/ ; https://cyberpress.org/public-notion-pages-expose-profile-photos-and-email-addresses-of-editors/ ; https://byteiota.com/notion-email-leak-4-year-bug-exposes-all-editors/ ; https://teamwin.in/public-notion-pages-leaks-profile-photos-and-email-address-of-editors/ ; https://gbhackers.com/public-notion-pages-expose-editors-profile/ ; https://news.ycombinator.com/item?id=47824945