AI meeting note-taker Granola makes notes viewable to anyone with a link by default, and uses them for AI training unless users opt out.
Granola, an AI-powered meeting note-taking app, was found to make all user notes accessible to anyone with a link by default — including portions of meeting transcripts — without requiring sign-in. The app also defaults to using meeting notes and transcripts for internal AI training. Users must manually opt out of both behaviors in settings. Granola stores notes and transcripts (not audio) in AWS, encrypted at rest and in transit.
This isn't a technical vulnerability — it's a default configuration issue that exposes meeting content at the app layer. If your team uses Granola to document architecture discussions, vendor negotiations, or security reviews, those notes are publicly accessible via link with no auth wall. The AI training opt-out is a secondary concern, but the link-sharing default is the immediate risk.
Open your Granola settings now and toggle 'viewable to anyone with link' to off, then audit whether any notes containing API keys, architecture decisions, or vendor names were previously shared externally.
Tags
Signals by role
Also today
Tools mentioned