It didn’t take long for Notion 3.0’s new AI agents to show a serious weakness: they can be tricked into leaking sensitive data through something as simple as a malicious PDF.
With the release of Notion 3.0, the company introduced autonomous AI agents that can handle tasks on their own, from drafting documents and updating databases to automating workflows across connected tools. Users can customize these agents and set them to run based on schedules or triggers.
But according to a report from CodeIntegrity, this autonomy comes with major security risks. At the center is what researchers call the "lethal trifecta": the combination of LLM agents, tool access, and long-term memory. Traditional access controls like RBAC aren’t enough to prevent abuse in this setup.
One of the most dangerous features is the built-in web search tool, functions.search. It’s designed to let Notion agents fetch information from external URLs, but it can just as easily be manipulated to exfiltrate data.
To prove the point, CodeIntegrity staged a demo attack. They crafted a seemingly harmless PDF disguised as a customer feedback report. Hidden within it was a prompt that looked like an internal work instruction, complete with steps for uploading sensitive client data to an attacker-controlled server via the web search tool.
The exploit plays out as soon as a user uploads the PDF into Notion and asks the agent to "summarize the report." The agent dutifully follows the hidden instructions, extracts data, and transmits it over the network. The test used Claude Sonnet 4.0, a state-of-the-art language model that still succumbed to the trick despite its guardrails.
The problem goes beyond PDFs. Notion 3.0’s agents can also connect directly to third-party services like GitHub, Gmail, or Jira. Any of these integrations could become vectors for indirect prompt injections, where malicious content is smuggled in and leveraged to make the AI act against the user’s intent.
