Notion AI exposed to indirect prompt injection via PDF processing
Notion AI agents were found vulnerable to indirect prompt injection via malicious PDF files. Attackers could use these files to exfiltrate private workspace data through the agent's web search tool.
"A malicious PDF that uses prompt-injection to get a Notion agent to call an external web-tool and leak workspace data."
Key facts
- What
- Notion AI agents were found vulnerable to indirect prompt injection via malicious PDF files.
- Incident date
- Sep 19, 2025
- Who
- Notion
- Failure mode
- Prompt Injection
- AI surface
- Agentic Workflow
- Severity
- Catastrophic
What happened
Security researchers at CodeIntegrity.ai discovered that Notion AI agents could be manipulated by instructions embedded within a PDF. Once the agent processed the file, it could be compelled to send sensitive workspace content to an external server via an API call. This attack required no direct user interaction other than the agent processing the malicious document.
What broke inside the model
- 01 · TriggerThe model reads retrieved or user-supplied text.
- 02 · Model stepThat text carries hidden instructions.
- 03 · Control gapNothing separates untrusted data from trusted commands.
- 04 · FailureThe injected instruction overrides the operator's.
- 05 · ConsequenceThe system acts on an outsider's intent.
At the injection point, retrieved text overrides the operator's instruction.
The failure was caused by the model's inability to isolate data from instructions, allowing the PDF content to override the agent's system prompts. The risk was amplified by the agent's ability to access external web tools, enabling the exfiltration of data.
What it cost
Sources
- PressNotion AI Security: 3.0 Agents and Lethal Trifecta Riskcodeintegrity.ai
- PressNotion AI Prompt Injection via PDFdeepwiki.com
- SocialHidden risk in Notion 3.0 AI agents: Web search tool abusenews.ycombinator.com
Cite this entry
https://failureindex.ai/failures/notion-exposed-indirect-prompt-injection-viaAI Failure Index. "Notion AI exposed to indirect prompt injection via PDF processing" (FI-0310). Realm Labs. https://failureindex.ai/failures/notion-exposed-indirect-prompt-injection-via (indexed Jun 5, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0310. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.