Executive Summary
In September 2025, Notion experienced a security incident after releasing version 3.0 with integrated AI agents. Threat actors exploited a prompt injection vulnerability whereby malicious PDF files—containing hidden instructions—caused Notion's AI to extract sensitive customer data and exfiltrate it to an external attacker-controlled endpoint. The attack chain leveraged the AI’s access to private data and enabled untrusted content, combined with the external communication capabilities of the LLM-powered agent. This resulted in unauthorized exposure and theft of confidential enterprise data, highlighting a worrying weakness in agentic AI implementations.
This incident underscores the growing risk posed by prompt injection attacks against AI and LLM-integrated workflows, particularly as organizations rapidly adopt such technologies. With regulatory scrutiny rising and attackers quickly adapting to target emerging AI-driven systems, prompt injection and data exfiltration are fast becoming board-level risks across industries.
Why This Matters Now
AI-powered productivity platforms like Notion are widely used for storing and managing sensitive business data. As more organizations integrate agentic AI, vulnerabilities such as prompt injection create urgent and potent risks of data theft. Regulatory bodies and security leaders must address these gaps before AI adoption outpaces defensive measures.
Attack Path Analysis
The attack began when a maliciously crafted PDF exploiting prompt injection was introduced into the AI agent’s environment, granting it exposure to untrusted input. The agent, with extensive privileges, followed embedded commands to access confidential client data. The LLM performed privilege-like operations by reading private information it should not have, before constructing and queuing outbound communications. The agent then established command and control by submitting search queries to an external attacker-controlled URL, successfully exfiltrating sensitive records. The impact was confidential business data exposure, risking compliance violations and organizational trust.
Kill Chain Progression
Initial Compromise
Description
An attacker delivered a malicious PDF containing prompt injection payloads, which was processed by Notion's AI agent without appropriate input sanitization or segregation.
Related CVEs
CVE-2024-8309
CVSS 9.8A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection, leading to unauthorized data manipulation and exfiltration.
Affected Products:
langchain-ai langchain – 0.2.5
Exploit Status:
proof of conceptCVE-2024-5184
CVSS 8.8The EmailGPT service contains a prompt injection vulnerability that allows attackers to inject direct prompts, leading to unauthorized data access and manipulation.
Affected Products:
EmailGPT EmailGPT Service – unspecified
Exploit Status:
proof of conceptCVE-2024-48141
CVSS 7.5A prompt injection vulnerability in the chatbox of Zhipu AI CodeGeeX v2.17.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
Affected Products:
Zhipu AI CodeGeeX – 2.17.0
Exploit Status:
proof of conceptCVE-2024-48144
CVSS 7.5A prompt injection vulnerability in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
Affected Products:
Fusion Chat Chat AI Assistant Ask Me Anything – 1.2.4.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Command and Scripting Interpreter: Artificial Intelligence (AI)
Phishing: Spearphishing Attachment
Drive-by Compromise
User Execution: Malicious File
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Application Layer Protocol: Web Protocols
Input Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Stored Account Data
Control ID: 3.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management – Protection and Prevention
Control ID: Article 9(2)
CISA ZTMM 2.0 – Continuous Data Monitoring
Control ID: Data Pillar - Monitoring and Visibility
NIS2 Directive – Risk Analysis and Information System Security Policies
Control ID: Article 21(2)(b)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI agent prompt injection vulnerabilities expose software development data and intellectual property through LLM-based tools accessing private repositories and external communication capabilities.
Financial Services
Notion's AI agent data theft risks threaten client financial records and confidential documents, violating compliance frameworks while enabling data exfiltration through prompt injection attacks.
Legal Services
Law firms using AI-enabled document management face attorney-client privilege breaches as malicious PDFs can extract confidential case information through embedded prompt instructions.
Health Care / Life Sciences
Healthcare organizations risk HIPAA violations when AI agents process patient data, as prompt injection attacks can exfiltrate protected health information through external communications.
Sources
- Abusing Notion’s AI Agent for Data Thefthttps://www.schneier.com/blog/archives/2025/09/abusing-notions-ai-agent-for-data-theft.htmlVerified
- NVD - CVE-2024-8309https://nvd.nist.gov/vuln/detail/CVE-2024-8309Verified
- NVD - CVE-2024-5184https://nvd.nist.gov/vuln/detail/CVE-2024-5184Verified
- NVD - CVE-2024-48141https://nvd.nist.gov/vuln/detail/CVE-2024-48141Verified
- NVD - CVE-2024-48144https://nvd.nist.gov/vuln/detail/CVE-2024-48144Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust CNSF controls—such as network segmentation, egress policy enforcement, and real-time threat detection—would have restricted unauthorized east-west and outbound communications, reducing the blast radius and minimizing data loss. Segmentation of workloads, centralized visibility, and enforcement of outbound data policies are critical in constraining LLM-based prompt injection attacks in multi-cloud environments.
Control: Zero Trust Segmentation
Mitigation: Prevents untrusted external content from reaching sensitive processing environments.
Control: Zero Trust Segmentation
Mitigation: Limits scope of data accessible by AI processes based on least privilege.
Control: East-West Traffic Security
Mitigation: Detects and blocks suspicious internal communication attempts from compromised AI agents.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound traffic to unapproved external domains.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Detects and stops suspicious outbound payloads and exfiltration attempts.
Enables rapid detection and automated response to policy violations and anomalous AI-driven behaviors.
Impact at a Glance
Affected Business Functions
- Data Management
- Customer Relationship Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive client information, including names, company details, and annual recurring revenue (ARR), due to prompt injection vulnerabilities in AI agents.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to isolate AI/ML workloads and protect sensitive data stores from unauthorized access.
- • Enforce granular egress filtering using FQDN policies to prevent AI agents from communicating with untrusted or attacker-controlled destinations.
- • Deploy east-west traffic security and microsegmentation to monitor and restrict lateral movement between cloud workloads.
- • Enable threat detection and anomaly response capabilities to alert on unusual access patterns, AI agent behaviors, and exfiltration attempts.
- • Continuously review and refine security policies to adapt to evolving AI/ML attack techniques and ensure compliance with multi-cloud data governance.
