- Added Notion's statement
Update from September 22, 2025:
Notion has responded to security concerns about its AI agents (see below). To counter prompt injection attacks—hidden manipulations in user inputs or uploaded files—Notion has upgraded its internal detection systems, according to a company spokesperson.
The company says these upgrades now catch "a broader range of injection patterns, including those hidden in file attachments." A dedicated security team also runs regular red teaming exercises to proactively identify and fix potential vulnerabilities.
Prompt injection isn't just a Notion problem. The issue affects all LLM-based systems, especially agent-style architectures where language models act on their own. These setups often combine several LLM processes with tool access and long-term memory, making them complex and potentially vulnerable to hidden manipulation. Smaller, less robust language models are also used more often in these scenarios, which raises the risk even further. "We know prompt injection and AI safety is a new field," a Notion spokesperson says.
New safeguards for links and web access
Notion has also tightened controls around external links. Before an agent opens any suspicious or model-generated link, users now have to approve it. Administrators can set centralized policies for when these links can be activated.
Admins can also fully disable agents' web access. New admin tools offer more granular control over when and how AI agents interact with external content.
Original article from September 21, 2025:
Notion 3.0's new AI agents can be tricked into leaking data through a malicious PDF
It didn’t take long for Notion 3.0’s new AI agents to show a serious weakness: they can be tricked into leaking sensitive data through something as simple as a malicious PDF.
With the release of Notion 3.0, the company introduced autonomous AI agents that can handle tasks on their own, from drafting documents and updating databases to automating workflows across connected tools. Users can customize these agents and set them to run based on schedules or triggers.
But according to a report from CodeIntegrity, this autonomy comes with major security risks. At the center is what researchers call the "lethal trifecta": the combination of LLM agents, tool access, and long-term memory. Traditional access controls like RBAC aren’t enough to prevent abuse in this setup.
One of the most dangerous features is the built-in web search tool, functions.search. It’s designed to let Notion agents fetch information from external URLs, but it can just as easily be manipulated to exfiltrate data.
To prove the point, CodeIntegrity staged a demo attack. They crafted a seemingly harmless PDF disguised as a customer feedback report. Hidden within it was a prompt that looked like an internal work instruction, complete with steps for uploading sensitive client data to an attacker-controlled server via the web search tool.
The exploit plays out as soon as a user uploads the PDF into Notion and asks the agent to "summarize the report." The agent dutifully follows the hidden instructions, extracts data, and transmits it over the network. The test used Claude Sonnet 4.0, a state-of-the-art language model that still succumbed to the trick despite its guardrails.
The problem goes beyond PDFs. Notion 3.0’s agents can also connect directly to third-party services like GitHub, Gmail, or Jira. Any of these integrations could become vectors for indirect prompt injections, where malicious content is smuggled in and leveraged to make the AI act against the user’s intent.
