Notion Email Leak: 4-Year Bug Exposes All Editors

Notion leaks email addresses, full names, and profile photos of every editor on public pages through a simple unauthenticated API request—and has left this vulnerability unfixed for four years despite being reported in 2022. Security researcher @weezerOSINT disclosed the issue on April 19, 2026, revealing that one POST request with zero authentication exposes complete contributor lists for any Notion page shared publicly. For organizations using Notion for documentation, company wikis, or public collaboration, this means every employee who has touched a public page now has their email address exposed to anyone who knows how to query an API.

Unauthenticated API Exposes Complete Workforce Directories

The vulnerability requires zero authentication—no credentials, tokens, or cookies. According to the researcher’s disclosure, “one POST request returns full names, emails, and profile photos for every editor on the page” with “zero authentication – no cookies, tokens, or login credentials needed.” This enables programmatic, scalable harvesting of employee email directories from any organization with public Notion documentation.

Notion’s official documentation confirms that webpage metadata may include names, profile photos, and email addresses of contributors when pages are published. However, there’s a critical distinction between metadata visible in HTML source (standard practice) and an unauthenticated API endpoint that returns this data in structured format on demand. The vulnerability enables automated, bulk collection rather than manual inspection.

For organizations, the impact is immediate. As the researcher notes: “your company wiki is public? every employee’s email is exposed.” This isn’t theoretical—any attacker can enumerate workforce directories, identify key personnel through documentation contributions, and build targeted attack campaigns with validated employee addresses.

Reported 2022, Unfixed 2026: When Bug Bounties Become Security Theater

Industry standard disclosure timeline is 90 days from initial report to public disclosure. Notion’s actual timeline: 1,460+ days—four years from the researcher’s 2022 submission to continued exploitation in 2026. OWASP and HackerOne guidelines specify 90-day disclosure windows, with potential 2-4 week extensions for complex fixes. Google’s Project Zero established this as industry norm. Four years exceeds any reasonable justification—this represents a 1,460% overage from industry standards.

The researcher’s question captures community frustration: “what is the point of even having a BBP” (Bug Bounty Program). Notion maintains an active Bug Bounty Program on HackerOne, yet this vulnerability persisted. Research on bug bounty failures reveals a pattern: companies launch BBPs for positive PR and researcher talent access but don’t allocate engineering resources to fix reported issues. When “vendor is unresponsive or decides not to fix,” vulnerabilities never see public disclosure, and users remain at risk unknowingly.

This timeline transforms responsible disclosure into negligence. Security becomes theater when companies maintain Bug Bounty Programs for appearances without commitment to fixing reported vulnerabilities. The gap between Bug Bounty Program PR and actual security investment is where users get hurt.

AI-Powered Phishing: Why Exposed Email Lists Are Catastrophic in 2026

Exposed employee email lists enable four primary attack vectors: AI-powered spear phishing with 192x faster email generation, social engineering attacks using organizational context, workforce enumeration for OSINT reconnaissance, and credential stuffing by correlating with breach databases. The vulnerability was dangerous in 2022 when reported; it’s catastrophic in 2026 with AI-enabled phishing.

Security research shows AI phishing systems reduced attack preparation time from 16 hours to 5 minutes—a 192x speed improvement that fundamentally changes the economics of targeted attacks. What once required specialized skill is now automated and accessible. Meanwhile, spear phishing makes up less than 0.1% of emails but causes 66% of breaches. Global phishing losses exceed $25 billion annually in 2026.

The attack workflow is trivial: Google dork for an organization’s Notion pages (site:notion.site “CompanyName”), query the unauthenticated API for emails, correlate with LinkedIn for roles and context, generate AI phishing campaign with organizational details, launch targeted attacks with validated recipients. Attackers use OSINT to “gather publicly available information and target entire businesses or subdepartments,” correlating exposed emails with “password dumps, credential leaks, or CRM exports.”

Organizations with public Notion pages have been unknowingly exposing employee directories for years, potentially fueling successful phishing campaigns without attribution. The damage isn’t speculative—it’s already occurred.

Related: Vercel Security Breach April 2026: Environment Variables

Immediate Actions: Audit, Revoke, Evaluate Alternatives

Organizations need to act immediately, not wait for Notion’s fix. First, audit all public Notion pages—identify which pages are shared publicly (many organizations lose track over time). Second, revoke public access to pages with sensitive contributor lists. Third, consider if exposed emails require rotation or targeted phishing awareness campaigns. Fourth, evaluate whether Notion meets organizational security requirements going forward.

Privacy-focused alternatives offer different security models. Obsidian stores notes locally as plain Markdown with end-to-end encrypted collaboration; Anytype is end-to-end encrypted and local-first by design; Confluence offers self-hosted options with compliance and audit readiness. For security-conscious organizations, Notion’s cloud-only, no-self-hosting model may not align with privacy requirements, especially under GDPR where email addresses are PII.

Even after Notion patches this (likely rapidly now that it’s publicly disclosed), historical exposure has already occurred. Phishing campaigns may already be using harvested email lists. This isn’t about waiting for a fix—it’s about understanding the damage window extends back to 2022.

Key Takeaways

• Notion’s 4-year delay isn’t a mistake—it’s a choice. When disclosed vulnerabilities languish unfixed for 1,460+ days (16x longer than industry standards), it transforms security from a defensive practice into security theater.
• Exposed email lists are catastrophic in 2026’s AI-phishing landscape. What took attackers 16 hours in 2022 now takes 5 minutes with AI-powered spear phishing—a 192x speed improvement that amplifies the vulnerability’s damage potential.
• Bug Bounty Programs without fixes are PR stunts, not security. Less than 1% of vendors have active BBPs, and many don’t fix reported issues. When BBPs become resume lines for security teams rather than vulnerability management systems, users suffer.
• Audit your Notion public pages immediately. Don’t wait for Notion’s fix—historical exposure has already occurred. Identify public pages, revoke access, evaluate if exposed emails require phishing awareness campaigns.
• Evaluate privacy-focused alternatives. Obsidian (local-first), Anytype (end-to-end encrypted), and Confluence (self-hosted) offer different security models for organizations where Notion’s cloud-only approach creates unacceptable risk.