ForcedLeak prompt injection against Salesforce Agentforce via Web-to-Lead CRM exfiltration
Technical Analysis
Summary
Hide ▲
Show ▼
Salesforce Agentforce was shown to be vulnerable to ForcedLeak, a prompt-injection technique that abuses Web-to-Lead forms to push CRM data exfiltration through an AI agent. The finding matters because it turns a routine lead-processing workflow into a practical data-theft path against enterprise AI integrations.
Related Happenings
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
Rising encryptionless extortion incidents against enterprises in 2025
Target Trend
First: 15.01.2026 17:45
Last: 15.01.2026 17:45
Sources 1
About this happening:
**Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
Rising encryptionless extortion incidents against enterprises in 2025
Target TrendAbout this happening: **Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
UNC6040 / ShinyHunters Salesforce vishing campaign
Campaign
First: 02.10.2025 00:17
Last: 02.10.2025 00:17
Sources 1
About this happening:
**UNC6040 / ShinyHunters** is running a **vishing-based Salesforce campaign** that has now been tied to **Workiva**. Workiva said attackers used a **third-party CRM system** to st...
UNC6040 / ShinyHunters Salesforce vishing campaign
CampaignAbout this happening: **UNC6040 / ShinyHunters** is running a **vishing-based Salesforce campaign** that has now been tied to **Workiva**. Workiva said attackers used a **third-party CRM system** to st...
Salesforce Agentforce Trusted URLs mitigation
Advisory/Mitigation
First: 25.09.2025 21:04
Last: 25.09.2025 21:04
Sources 1
How related:
To mitigate the risk, users should add any additional external URLs that users rely on to the Salesforce Trusted URLs list or to their AI agent's instructions.
About this happening:
**Salesforce** issued mitigation guidance for **Agentforce** after researchers showed prompt-injection paths could drive **CRM data exfiltration** through external links and forms...
Salesforce Agentforce Trusted URLs mitigation
Advisory/MitigationHow related: To mitigate the risk, users should add any additional external URLs that users rely on to the Salesforce Trusted URLs list or to their AI agent's instructions.
About this happening: **Salesforce** issued mitigation guidance for **Agentforce** after researchers showed prompt-injection paths could drive **CRM data exfiltration** through external links and forms...
Salesforce Agentforce Web-to-Lead indirect prompt injection ForcedLeak security flaw
Vulnerability
First: 25.09.2025 18:17
Last: 25.09.2025 18:17
Sources 1
How related:
Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection.
About this happening:
A **critical** **ForcedLeak** flaw in **Salesforce Agentforce** can let attackers use **indirect prompt injection** to exfiltrate sensitive **CRM data**, especially where **Web-to...
Salesforce Agentforce Web-to-Lead indirect prompt injection ForcedLeak security flaw
VulnerabilityHow related: Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection.
About this happening: A **critical** **ForcedLeak** flaw in **Salesforce Agentforce** can let attackers use **indirect prompt injection** to exfiltrate sensitive **CRM data**, especially where **Web-to...
Timeline
-
25.09.2025 19:15 2 articles · 8mo ago
ForcedLeak disclosure against Salesforce Agentforce
Technical Analysis UpdateNoma Security disclosed ForcedLeak against Salesforce Agentforce, showing that specially crafted Web-to-Lead submissions can cause autonomous AI agents to collect CRM data, add stolen email addresses to a request to a remote server, and exfiltrate information on behalf of the attacker. The findings also showed that a trusted Salesforce domain left to expire could have provided a covert exfiltration endpoint.
Show sources
- Salesforce AI Hack Enabled CRM Data Theft — www.securityweek.com — 25.09.2025 19:15
- Salesforce AI Agents Forced to Leak Sensitive Data — www.darkreading.com — 25.09.2025 21:04
-
25.09.2025 19:15 1 articles · 8mo ago
Salesforce regains expired domain and blocks untrusted output destinations
Mitigation Patch UpdateAfter being notified, Salesforce regained control of the expired trusted domain and changed Agentforce output handling so AI agent output is no longer sent to untrusted domains. That remediation reduced one practical exfiltration path for malicious Web-to-Lead submissions.
Show sources
- Salesforce AI Hack Enabled CRM Data Theft — www.securityweek.com — 25.09.2025 19:15