Canvas & Ratio
Choose your destination platform format
Layout Template
Choose a content structure for your slides
Preset Themes
Typography & Sizing
Brand Kit Customization
AGENCYConfigure brand assets for headers & footers
Outro Slide CTA
Customize your closing call-to-action slide
Background Pattern
Build Your Carousel
Drag and drop any post card below onto a slide, or use the quick buttons to insert content/images instantly!

every public Notion page is leaking the email addresses of everyone who edited it. zero authentication. no cookies. no tokens. one POST request returns full names, emails, and profile photos for every editor on the page. your company wiki is public? every employee's email is exposed. right now. reported in 2022. still works in 2026. like what is the point of even having a BBP thread




notion's API returns editor UUIDs in the permissions of any public page. no auth needed. i hit their own Community page. got 13 user IDs from block permissions. fed them into /api/v3/syncRecordValuesMain. 12 emails back. notion employees, a production service account (svc-notion-prod@makenotion.com), and an external contractor. all from one page.


notion pages are everywhere. company wikis, job boards, public docs, onboarding guides. google "site:<a target="_blank" href="http://notion.site" color="blue">notion.site</a>" and you get thousands. every one of those pages is silently leaking editor emails to anyone who sends one unauthenticated API call. enterprise workspace with 500 employees sharing a public page? that's 500 corporate emails in a single request. no rate limiting. batch 50 users at a time. pair it with getLoginOptions (also zero auth) and you know which ones use passwords vs SSO. credential stuffing just got a free target list.

the original report was filed on HackerOne. July 28, 2022. almost 4 years ago. notion triaged it as "informative." no fix. no CVE. no bounty. i independently found the same bug. reported it. marked duplicate. tested again today. still returns emails. same endpoint. same zero auth. if your team has a public notion page, your emails are exposed. check your sharing settings.

this 11 billion dollar company made a business decision to leave customer PII exposed.

@NotionHQ Just close your Bug Bounty Program


<a target="_blank" href="https://x.com/weezerOSINT/status/2046018181064695971?s=20" color="blue">x.com/weezerOSINT/st…</a>