TLDR: 187 Granola Workspace users who were removed or deleted from their linked Google Workspace accounts were not automatically logged out of the Granola app. A security researcher reported the issue, and we have resolved it.

Summary

A security researcher reported a vulnerability in our session-logout management that affected Granola Workspace users. The researcher originally observed the issue when users manually disconnected their Google Workspace connection. Our investigation showed it also applied to users whose Google Workspace accounts had been suspended or deleted.

If exploited, this vulnerability could have allowed such users to continue accessing their historical meeting notes and transcripts through existing Granola sessions until they manually logged out.

The researcher disclosed the issue on May 12 2025. We acknowledged the report on May 13 2025, released fixes for the Desktop and iOS apps on May 28 2025, and deployed a follow-up fix for web sessions on June 2 2025.

We are publishing this post-mortem to explain the incident and our response.

Explanation of Why and How This Happened

Timeline

  • Nov 12 2025: Granola Workspaces were first introduced.
  • May 12 2025: Security researcher reports vulnerability affecting users who removed their Granola connection with Google.
  • May 13 2025: Granola acknowledges the report and begins internal investigation.
  • May 13 – June 2 2025: Technical investigation and deployment of fixes across all platforms.
  • June 3 2025: Internal investigation completed and this post-mortem published.

Root Cause

Granola user sessions were not tied to the ongoing validity of the associated Google Workspace account. After authenticating with Google and receiving a token, a session remained valid, regardless of any subsequent suspension or deletion of the Google account, until the user logged out.

How We Addressed the Issue

  • May 13 2025: Acknowledged the report, began investigation, and reproduced the vulnerability.
  • May 13 – June 2 2025:
    • Verified that users with suspended or deleted Google Workspace accounts retained Granola access.
    • Identified 187 affected users who were part of at least one Granola Workspace.
    • Implemented automatic logout when a Google Workspace connection is deactivated.
  • May 28 2025: Deployed fixes to the Desktop and iOS applications.
  • June 2 2025: Deployed follow-up fix to the web application.

Long-term Preventive Actions

We implemented checks that verify Google Workspace access token validity as part of Granola’s access token refresh logic (which previously ran only at login). We are also adding periodic checks to validate the Google Workspace access token and detect account suspensions earlier.

Additionally, we have initiated a comprehensive security review focused on authentication management across the entire product and we are establishing a formal review process to oversee any future changes that impact authentication.

Impact Assessment

A total of 187 users who had either removed the Google connection or had their Google Workspace account deleted since Workspaces launched in November 2024 could continue to access their meeting notes and transcripts.

Guidance for Customers

No user action is required. All affected users have been automatically logged out. If you have concerns about data access during the vulnerability window, please contact hey@granola.so.