%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
With the release of Notion 3.0, its new autonomous AI agent feature has attracted significant attention, designed to help users automatically complete tasks such as drafting documents, updating databases, and managing workflows. However, a recent report from the cybersecurity company CodeIntegrity revealed a serious security vulnerability in these AI agents: malicious files, such as PDFs, can be exploited to trick the agents into bypassing security protections and stealing sensitive data.
CodeIntegrity attributes this vulnerability to the "fatal trio" of AI agents: large language models (LLMs), tool access permissions, and long-term memory. Researchers pointed out that traditional access control measures, such as role-based access control (RBAC), are insufficient to provide adequate protection in this complex environment.
The core of the vulnerability is Notion 3.0's built-in web search tool functions.search. Although its original purpose is to help AI agents obtain external information, this tool is extremely vulnerable to manipulation for data theft.
To demonstrate this, the CodeIntegrity team conducted a demonstration attack: they created a seemingly harmless PDF file containing a hidden malicious instruction that directed the AI agent to upload sensitive customer data to a server controlled by the attacker via the web search tool. Once the user uploaded this PDF to Notion and asked the agent to "summarize the report," the agent would faithfully execute the hidden instruction, extracting and transmitting the data. Notably, this attack was successful even when using the advanced language model Claude Sonnet 4.0, indicating that even advanced protective measures were unable to prevent this vulnerability.
The report also warns that this issue is not limited to PDF files. The AI agents in Notion 3.0 can connect to third-party services such as GitHub, Gmail, or Jira, and any integration could potentially serve as a carrier for indirect prompt injection. Malicious content can then infiltrate, prompting the AI agent to perform inappropriate actions, thereby going against the user's intent.