One of the most persistent anxieties in the era of enterprise generative AI is the continued prevalence of prompt injection attacks. These attacks enable adversaries to manipulate large language models (LLMs) into divulging confidential data, bypassing intended guardrails. Two recently disclosed vulnerabilities—affecting Salesforce&39;s Agentforce and Microsoft&39;s Copilot—serve as stark reminders that even dominant vendors are not immune to this class of threat.
The research, published by Capsule Security, a vendor specialising in AI agent runtime security, details two distinct attack chains: PipeLeak targeting Salesforce and ShareLeak (CVE-2026-21520) targeting Microsoft Copilot. Both vulnerabilities have been addressed by the respective vendors, but the findings highlight architectural design flaws that can be exploited with minimal technical expertise.
PipeLeak: How Salesforce Agentforce Could Be Compromised
The PipeLeak vulnerability in Salesforce Agentforce originated from how the platform processes untrusted data from external lead capture forms. Capsule discovered that an attacker could embed malicious instructions directly into a public-facing CRM form field—a form typically used by prospective clients on a Salesforce customer&39;s website. These instructions would then be interpreted by the AI agent as a trusted prompt, overriding its intended behaviour.
In a proof-of-concept demonstration, Capsule inserted a single line of text instructing the agent to list all leads it could find and send that list via email back to the attacker. No complex code, no exploitation of traditional software vulnerabilities—just a well-crafted sentence that the LLM obediently executed. The company described this as a fundamental architectural flaw: “Agent Flows process lead form inputs as trusted instructions rather than untrusted data.” Because lead forms accept arbitrary text from external, unauthenticated users, an attacker can embed malicious prompts that override the agent’s intended behaviour.
Salesforce, in its response, thanked Capsule for the report but characterised the issue as configuration-specific rather than a platform-level vulnerability. The company emphasised that its out-of-the-box (OOTB) email actions require human-in-the-loop (HITL) oversight, and that the same requirement is available as a configuration setting for custom actions to prevent unintentional data transfers. However, Capsule co-founder and CEO Naor Paz expressed surprise at this stance, noting that the whole premise of AI agents is autonomous operation. “The whole thing about agents is they do things for you without you babysitting them,” Paz said. “We're seeing agents like Claude Code, for example, running for days, writing code, querying production databases, and doing many dangerous things autonomously. I think their answer, like, 'Do human in the loop,' is just embarrassing.”
A Salesforce spokesperson later stated that the company is aware of the issue and has remediated it, adding that prompt injection is an evolving challenge across the AI industry and that layered safeguards—including instruction isolation, tool-use restrictions, and human oversight—are being continuously refined.
ShareLeak: Microsoft Copilot Vulnerability Exposed
The parallel vulnerability in Microsoft Copilot, designated CVE-2026-21520 with a CVSS score of 7.5 (high severity), was dubbed ShareLeak by Capsule. This attack required a more complex command but followed the same pattern: an attacker inserts malicious code into a SharePoint form input, which then triggers the connected Copilot data and returns sensitive information to an attacker-controlled email address. Crucially, even when safety mechanisms flagged the attack during execution, data was still exfiltrated before the flag could prevent the leak.
Microsoft addressed the vulnerability following Capsule’s disclosure. The company has not publicly elaborated on the technical details of the fix but has acknowledged the issue. Capsule’s Kaduri noted that the attack required no special access or advanced technical skills—only an understanding of how LLMs process instructions.
The Lethal Trifecta and Broader Implications
Paz introduced a concept he calls the “lethal trifecta” for AI agent security: the intersection of an agent with access to sensitive data, external exposure to untrusted content, and the ability to communicate externally. When all three elements are present, data can be easily manipulated and exfiltrated. Both the PipeLeak and ShareLeak vulnerabilities perfectly illustrate this trifecta: the agents had access to customer relationship management (CRM) or SharePoint data, they were exposed to untrusted form inputs, and they could send emails to external recipients.
The research underscores that prompt injection remains a fundamentally unsolved problem for LLMs. Unlike traditional software vulnerabilities that require code-level exploitation, prompt injection exploits the very nature of how LLMs interpret instructions. The problem is compounded by the rush to deploy AI agents across operations without corresponding security tools designed for this new paradigm. As Kaduri wrote, “Organizations rushing to deploy AI agents inherit significant risks that existing security tools weren't designed to address.”
Security professionals have long warned about the dangers of giving LLMs direct access to sensitive data and external communication channels. The Capsule findings validate these concerns, demonstrating that even after patches, the architectural decisions made by vendors can create persistent attack surfaces. The response from Salesforce—recommending HITL configurations—has drawn criticism because it essentially places the burden on customers to secure a platform issue. Many organisations use AI agents precisely to reduce manual oversight, and requiring human-in-the-loop for every email action undermines the efficiency gains that agents promise.
Recommendations for Organisations
Capsule recommends that any organisation running Salesforce Agentforce or similar AI agent platforms treat all lead form inputs as untrusted data. Specific measures include: disallowing email tool usage when processing untrusted inputs, applying input sanitisation and prompt boundary techniques, requiring manual review before sending emails that contain CRM data, and logging all agent actions involving data access or external communication. These steps can help mitigate the risk of prompt injection until more robust platform-level solutions are developed.
The broader takeaway is that the AI industry has not yet found a reliable way to distinguish between trusted instructions and untrusted data in LLM workflows. While vendors like Microsoft and Salesforce are actively improving their safeguards, the fundamental challenge remains. As Paz put it, “It's not a resource problem. I think it's more of an approach problem, because all these large vendors still have to deal with this. They still don't have the right approaches to match this newer problem.”
The emergence of advanced exploit-hunting capabilities, such as those found in Anthropic’s Claude Mythos, could further lower the barrier for attackers to discover and weaponise similar vulnerabilities. As long as LLMs treat user-supplied text as commands rather than data, the threat of prompt injection will persist. Organisations must adopt a defence-in-depth strategy that combines vendor patches, custom security configurations, rigorous input validation, and constant monitoring of agent behaviour to protect sensitive data from being leaked through seemingly innocuous forms.
Source: Dark Reading News