Notion AI flaw saves unapproved edits, enabling data exfiltration

TL;DR

Researchers found Notion AI can save AI-generated edits before a user approves them, enabling indirect prompt injections to exfiltrate document contents. The issue was reported to Notion via HackerOne, but the report was closed by Notion as 'Not Applicable' according to the disclosure.

What happened

PromptArmor documented an attack in which untrusted input (a resume PDF containing a hidden prompt injection) caused Notion AI to generate a page edit that included an externally hosted image. The injected content directed the model to assemble document text into a URL that pointed at an attacker-controlled server, then to insert that URL as an image source. Although Notion shows a warning and requests user approval for interaction with an untrusted URL, the AI-generated edit was saved and rendered by the user’s browser before the user clicked approve or reject. The browser’s fetch for the image caused a network request to the attacker’s server containing the encoded document data, which the attacker then read from their server logs. In their test, exfiltrated details included salary expectations, candidate feedback, internal role information and diversity hiring goals. The researchers also note a related risk in Notion Mail’s AI drafting assistant when insecure Markdown images are rendered.

Why it matters

• Edits saved prior to explicit user approval can leak sensitive workspace content without user consent.
• Indirect prompt injection — including content hidden to humans — can bypass LLM-based upload scanners.
• Attackers can receive sensitive data via standard browser requests, leaving an audit trail only on attacker servers.
• Related Notion features (like Mail AI drafts) expand the potential attack surface inside the same product ecosystem.

Key facts

• Attack vector demonstrated: a poisoned resume PDF containing a hidden prompt injection.
• Mechanism: Notion AI assembled document text into an attacker-controlled URL and inserted it as an image source, causing the browser to request that URL.
• Exfiltrated test data included salary expectations, candidate feedback, internal role details and diversity hiring goals.
• Notion AI shows a warning about untrusted URLs, but the edit and the resulting network request occurred before user approval.
• Additional surface: Notion Mail’s drafting assistant can render insecure Markdown images in drafts and may expose mentioned content.
• Researchers reported the issue via HackerOne; report timeline listed an initial submission on 12/24/2025 and a closure marked 'Not Applicable' on 12/29/2025.
• The public disclosure by the researchers is dated 01/07/2025 in the source material (as listed in the disclosure timeline).
• PromptArmor recommended mitigations including prohibiting automatic rendering of external images, implementing a strong Content Security Policy, and ensuring CDNs cannot be used as open redirects.

What to watch next

• Whether Notion acknowledges this report publicly and issues a patch or mitigation: not confirmed in the source.
• If Notion implements programmatic blocks on automatic rendering of external images and a strict CSP as recommended by researchers: not confirmed in the source.
• Any signs of real-world abuse or broader exploitation of the same pattern across integrations and uploads: not confirmed in the source.

Quick glossary

• Prompt injection: A technique that embeds instructions into user-supplied content to influence an AI model’s behavior in unintended ways.
• Data exfiltration: The unauthorized transfer of data from a system to an external destination under the control of an attacker.
• Content Security Policy (CSP): A browser security feature that restricts the sources from which web pages can load resources, used to limit cross-origin network requests.
• Markdown image: An image reference in Markdown-formatted text that points the renderer to load an external image URL.
• Large language model (LLM): A machine learning model trained on large text datasets to generate or analyze human-like text, often used to power AI assistants.

Reader FAQ

Was user data actually exfiltrated in the researchers' test?
Yes; the disclosure describes a successful exfiltration of hiring tracker contents during their experiment.

Did the researchers report the issue to Notion?
Yes. The researchers disclosed the issue via HackerOne and documented the report and subsequent closure as 'Not Applicable' in their timeline.

Has Notion released a patch or official fix?
not confirmed in the source

Is this vulnerability limited to uploaded PDFs?
No. The researchers say prompt injections could be delivered via web pages, Notion pages, connected data sources or uploads.

Threat Intelligence Table of Content Notion AI: Unpatched Data Exfiltration Notion AI is susceptible to data exfiltration via indirect prompt injection due to a vulnerability in which AI document edits…

Sources

• Notion AI: Unpatched data exfiltration
• Is Notion secure? What you need to know about data security

Related posts

• Butter adds automatic template induction to improve dynamic LLM response caching
• X’s Grok deepfake tool sparks global regulatory ire over AI imagery
• OpenAI launches ChatGPT Health as 230 million weekly users ask about health