Salesforce Agentforce and Einstein AI URL allowlist patch
Security Patch Release
Summary
Hide ▲
Show ▼
Salesforce rolled out patches for Agentforce and Einstein AI agents to enforce a URL allowlist, reducing the chance that prompt-injection-driven output can be sent to untrusted URLs. The update addresses the same exposure path used to exfiltrate sensitive CRM data after a successful prompt injection. Salesforce also re-secured the expired domain involved in the attack path.
Related Happenings
Salesforce Agentforce Trusted URLs mitigation
Advisory/Mitigation
First: 25.09.2025 21:04
Last: 25.09.2025 21:04
Sources 1
About this happening:
**Salesforce** issued mitigation guidance for **Agentforce** after researchers showed prompt-injection paths could drive **CRM data exfiltration** through external links and forms...
Salesforce Agentforce Trusted URLs mitigation
Advisory/MitigationAbout this happening: **Salesforce** issued mitigation guidance for **Agentforce** after researchers showed prompt-injection paths could drive **CRM data exfiltration** through external links and forms...
ForcedLeak prompt injection against Salesforce Agentforce via Web-to-Lead CRM exfiltration
Technical Analysis
First: 25.09.2025 19:15
Last: 25.09.2025 19:15
Sources 1
How related:
Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection.
About this happening:
**Salesforce Agentforce** was shown to be vulnerable to **ForcedLeak**, a **prompt-injection** technique that abuses **Web-to-Lead** forms to push **CRM data exfiltration** throug...
ForcedLeak prompt injection against Salesforce Agentforce via Web-to-Lead CRM exfiltration
Technical AnalysisHow related: Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection.
About this happening: **Salesforce Agentforce** was shown to be vulnerable to **ForcedLeak**, a **prompt-injection** technique that abuses **Web-to-Lead** forms to push **CRM data exfiltration** throug...
Timeline
-
25.09.2025 18:17 1 articles · 8mo ago
Noma Security discloses ForcedLeak in Salesforce Agentforce
Initial DisclosureNoma Security disclosed ForcedLeak, a critical CVSS 9.4 flaw in Salesforce Agentforce with Web-to-Lead enabled, and showed that indirect prompt injection could coerce malicious instructions from a lead Description field to leak sensitive CRM data.
Show sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
-
25.09.2025 18:17 2 articles · 8mo ago
Salesforce enforces Trusted URL allowlist in Agentforce and Einstein AI
Mitigation Patch UpdateSalesforce re-secured the expired Salesforce-related domain used in the attack path and rolled out patches that enforce a Trusted URL allowlist for Agentforce and Einstein AI agents, blocking outbound output to untrusted URLs and reducing sensitive-data exfiltration risk for organizations using those services.
Show sources
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17
- Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection — thehackernews.com — 25.09.2025 18:17