TLDR: Until May 23 2025, Granola auto-provisioned users solely by matching their Google OAuth email domain. Legacy unmanaged Google accounts (e.g., alice+alias@acme.com) could therefore be auto-granted access to a Granola Workspace whose domain matched their email and had Allow teammates to join automatically enabled in workspace settings. The issue was reported on May 16 2025 and patched on May 23 2025. Our investigation confirmed no unauthorized access to Granola workspaces via unmanaged accounts.

Summary

Google previously allowed creation of personal accounts whose email addresses matched a Google Workspace domain without being managed by that Workspace. Because Granola’s auto-join logic trusted the domain match alone, anyone holding one of these legacy unmanaged accounts, typically former employees, could have joined their company’s Granola workspace (if auto-join was enabled in workspace settings). Google no longer issues new unmanaged accounts, but existing ones remained a risk until we added more explicit Workspace membership checks on May 23 2025. The vulnerability was responsibly disclosed by one of our customers, and our investigation confirmed that no other workspaces contained unmanaged accounts and that no data was accessed outside the reporting customer’s workspace. We are sharing this post-mortem to explain the incident and our response.

Explanation of Why and How This Happened

Timeline

  • May 16 2025: A customer reports the issue, internal security channel alerted, Engineering and CX begin reproduction.
  • May 16 2025: Initial production-database query confirms no workspace members with unmanaged accounts.
  • May 19 2025: Confirmed Google no longer issues new unmanaged accounts, but existing ones remain valid.
  • May 20 – 22 2025: Engineering conducts impact analysis and identifies gaps in default workspace checks.
  • May 23 2025: Fix validated and deployed, Granola now explicitly requires Google Workspace verification for auto-join. Database rescanned, still no unmanaged accounts found.
  • May 27 2025: Confirmation email sent to the reporting customer.
  • Jun 3 2025: This post-mortem published.

Root Cause

We assumed that owning a corporate-domain Google account implied Google Workspace management. Granola’s auto-join logic relied solely on email-domain matching and did not explicitly verify Google Workspace membership.

How We Addressed the Issue

  • May 16 2025: Queried production database and confirmed zero unmanaged accounts in any workspace.
  • May 23 2025: Deployed a change that enforces Google Workspace membership in addition to domain matching. Unmanaged accounts can no longer auto-join Granola workspaces. Checked production database again to confirm no user impact.

How We Investigated Potential Data Exposure

We queried the production database for workspace members with unmanaged Google accounts and confirmed that none existed.

Guidance for Customers

No action is required. If you have questions or concerns, please reach out to hey@granola.so.

Acknowledgements

We thank Johan Uhle for responsibly disclosing this vulnerability and working with the Granola team to reproduce the issue and confirm the fix.

References