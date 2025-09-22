AI in practice
Update
Maximilian Schreiner

Notion AI agents get security update after data leak

Sora prompted by THE DECODER
Notion AI agents get security update after data leak
Max is the managing editor of THE DECODER, bringing his background in philosophy to explore questions of consciousness and whether machines truly think or just pretend to.
Profile
E-Mail
Content
summary Summary
Update
  • Added Notion's statement

Update from September 22, 2025:

Ad

Notion has responded to security concerns about its AI agents (see below). To counter prompt injection attacks—hidden manipulations in user inputs or uploaded files—Notion has upgraded its internal detection systems, according to a company spokesperson.

The company says these upgrades now catch "a broader range of injection patterns, including those hidden in file attachments." A dedicated security team also runs regular red teaming exercises to proactively identify and fix potential vulnerabilities.

Prompt injection isn't just a Notion problem. The issue affects all LLM-based systems, especially agent-style architectures where language models act on their own. These setups often combine several LLM processes with tool access and long-term memory, making them complex and potentially vulnerable to hidden manipulation. Smaller, less robust language models are also used more often in these scenarios, which raises the risk even further. "We know prompt injection and AI safety is a new field," a Notion spokesperson says.

Ad
Ad

New safeguards for links and web access

Notion has also tightened controls around external links. Before an agent opens any suspicious or model-generated link, users now have to approve it. Administrators can set centralized policies for when these links can be activated.

Admins can also fully disable agents' web access. New admin tools offer more granular control over when and how AI agents interact with external content.

Original article from September 21, 2025:

Notion 3.0's new AI agents can be tricked into leaking data through a malicious PDF

It didn’t take long for Notion 3.0’s new AI agents to show a serious weakness: they can be tricked into leaking sensitive data through something as simple as a malicious PDF.

With the release of Notion 3.0, the company introduced autonomous AI agents that can handle tasks on their own, from drafting documents and updating databases to automating workflows across connected tools. Users can customize these agents and set them to run based on schedules or triggers.

Recommendation
AI in practice
Update

Kimi-K2 is the next open-weight AI milestone from China after Deepseek

But according to a report from CodeIntegrity, this autonomy comes with major security risks. At the center is what researchers call the "lethal trifecta": the combination of LLM agents, tool access, and long-term memory. Traditional access controls like RBAC aren’t enough to prevent abuse in this setup.

One of the most dangerous features is the built-in web search tool, functions.search. It’s designed to let Notion agents fetch information from external URLs, but it can just as easily be manipulated to exfiltrate data.

To prove the point, CodeIntegrity staged a demo attack. They crafted a seemingly harmless PDF disguised as a customer feedback report. Hidden within it was a prompt that looked like an internal work instruction, complete with steps for uploading sensitive client data to an attacker-controlled server via the web search tool.

The exploit plays out as soon as a user uploads the PDF into Notion and asks the agent to "summarize the report." The agent dutifully follows the hidden instructions, extracts data, and transmits it over the network. The test used Claude Sonnet 4.0, a state-of-the-art language model that still succumbed to the trick despite its guardrails.

Ad
Ad
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.

The problem goes beyond PDFs. Notion 3.0’s agents can also connect directly to third-party services like GitHub, Gmail, or Jira. Any of these integrations could become vectors for indirect prompt injections, where malicious content is smuggled in and leveraged to make the AI act against the user’s intent.

Support our independent, free-access reporting. Any contribution helps and secures our future. Support now:
Bank transfer
Summary
  • Notion 3.0 introduced autonomous AI agents that can draft documents, manage databases, and automate workflows, but researchers found they can be manipulated into leaking sensitive data.
  • A report from CodeIntegrity showed how a malicious PDF disguised as a customer report tricked an agent into uploading private client data to an attacker server using Notion’s built-in web search tool.
  • The risk extends well beyond PDFs, as integrations with services like GitHub, Gmail, and Jira could serve as entry points for indirect prompt injection attacks that bypass traditional access controls.
Sources
CodeIntegrity
Max is the managing editor of THE DECODER, bringing his background in philosophy to explore questions of consciousness and whether machines truly think or just pretend to.
Profile
E-Mail
AI in practice

OpenAI and Nvidia announce 10-gigawatt partnership for AI infrastructure

News, tests and reports about VR, AR and MIXED Reality.
What happens next with MIXED My personal farewell to MIXED Meta and Anduril are now jointly developing XR headsets for the US military MIXED-NEWS.com
AI in practice

Deepseek's hybrid reasoning model V3.1-Terminus delivers higher scores on tool-based agent tasks

AI in practice

ChatGPT's Deep Research mode let attackers steal Gmail data with hidden instructions in emails

Google News
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.

Notion AI agents get security update after data leak

Bank details

IBAN: DE88 2507 0070 0053 0014 00
BIC: DEUTDE2HXXX
Account holder: Deep Content GmbH
Purpose: Support THE DECODER
AI research

OpenAI outperforms humans and Google at the world's top collegiate programming contest

AI in practice

New data from OpenAI and Anthropic show how people actually use ChatGPT and Claude

AI and society

Leading AI chatbots are now twice as likely to spread false information as last year, study finds

Google News