• Home
  • cyber
  • Notion: Notion public pages found leaking user emails and profile pictures
cyber Vulnerability

Notion: Notion public pages found leaking user emails and profile pictures

Apr 22, 2026 2 min read
Notion: Notion public pages found leaking user emails and profile pictures

Notion Privacy Leak Exposes User Metadata in Public Pages

A recent investigation has revealed a privacy risk in Notion, the widely used productivity platform with tens of millions of users. Cybersecurity researchers found that publicly shared pages may inadvertently expose personal metadata of collaborators, including usernames, profile images, and email addresses.

The issue stems from Notion’s design when users publish pages without restrictions, the platform includes internal metadata alongside visible content. While this behavior is intentional, researchers argue that its privacy implications are often overlooked by users, who may not realize they are exposing sensitive details.

The vulnerability affects both individual users and organizations that rely on Notion for public documentation, knowledge bases, or shared repositories. Any unrestricted page could potentially leak contributor data, raising concerns about unintended exposure.

Notion initially defended its practices, stating that users were warned about metadata exposure during publishing. However, researchers demonstrated that these warnings were not consistently displayed in the interface. Following public backlash, the company acknowledged the issue, with spokesperson Max Schoening calling the current behavior "unacceptable." Notion is now exploring solutions, such as removing personal identifiers from public API responses or implementing email masking, similar to GitHub’s approach.

While the company works on a fix, the incident highlights the broader risks of metadata exposure in collaborative platforms.

Source: https://www.escudodigital.com/en/cybersecurity/notion-public-pages-found-leaking-user-emails-and-profile-pictures.html

Notion cybersecurity rating report: https://www.rankiteo.com/company/notionhq

"id": "NOT1776839801",
"linkid": "notionhq",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Individual users and '
                                              'organizations using public '
                                              'pages',
                        'industry': 'Productivity Software',
                        'name': 'Notion',
                        'size': 'Tens of millions of users',
                        'type': 'Company'}],
 'attack_vector': 'Unintended metadata exposure in public pages',
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'Personally identifiable information',
                 'type_of_data_compromised': 'Metadata (usernames, profile '
                                             'images, email addresses)'},
 'description': 'A recent investigation revealed a privacy risk in Notion '
                'where publicly shared pages may inadvertently expose personal '
                'metadata of collaborators, including usernames, profile '
                'images, and email addresses. The issue stems from Notion’s '
                'design where internal metadata is included alongside visible '
                'content in unrestricted pages, raising concerns about '
                'unintended exposure for both individual users and '
                'organizations.',
 'impact': {'brand_reputation_impact': 'Public backlash and reputational '
                                       'damage',
            'data_compromised': 'Usernames, profile images, email addresses',
            'identity_theft_risk': 'Potential risk due to exposed email '
                                   'addresses and personal identifiers',
            'systems_affected': 'Notion public pages and API responses'},
 'lessons_learned': 'Highlights the broader risks of metadata exposure in '
                    'collaborative platforms and the importance of clear user '
                    'warnings.',
 'post_incident_analysis': {'corrective_actions': 'Exploring technical '
                                                  'solutions (e.g., email '
                                                  'masking, API changes) and '
                                                  'improving user interface '
                                                  'warnings',
                            'root_causes': 'Design flaw in metadata handling '
                                           'for public pages and inconsistent '
                                           'user warnings'},
 'recommendations': 'Implement email masking, remove personal identifiers from '
                    'public API responses, and improve user interface warnings '
                    'about metadata exposure.',
 'references': [{'source': 'Cybersecurity researchers'}],
 'response': {'communication_strategy': 'Acknowledged the issue publicly and '
                                        'committed to a fix',
              'remediation_measures': 'Exploring solutions such as removing '
                                      'personal identifiers from public API '
                                      'responses or implementing email '
                                      'masking'},
 'title': 'Notion Privacy Leak Exposes User Metadata in Public Pages',
 'type': 'Privacy Leak',
 'vulnerability_exploited': 'Design flaw in metadata handling for public pages'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.