Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Salesforce Agentforce Web-to-Lead indirect prompt injection ForcedLeak security flaw

Vulnerability
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

A critical ForcedLeak flaw in Salesforce Agentforce can let attackers use indirect prompt injection to exfiltrate sensitive CRM data, especially where Web-to-Lead is enabled. The weakness is rated CVSS 9.4 and works by planting malicious instructions in the lead Description field so the agent executes hidden commands. Salesforce has re-secured the expired domain and issued patches that enforce a Trusted URL allowlist to stop untrusted outbound requests.

Related Happenings

Reprompt prompt-injection mechanics against Microsoft Copilot

Technical Analysis
First: 15.01.2026 14:09 Last: 15.01.2026 14:09 Sources 1

About this happening: Researchers mapped **Reprompt**, a **prompt-injection** chain against **Microsoft Copilot** that can drive **continuous, undetectable user-data exfiltration** and persist after th...

Open Happening

Salesforce Agentforce Trusted URLs mitigation

Advisory/Mitigation
First: 25.09.2025 21:04 Last: 25.09.2025 21:04 Sources 1

About this happening: **Salesforce** issued mitigation guidance for **Agentforce** after researchers showed prompt-injection paths could drive **CRM data exfiltration** through external links and forms...

Open Happening

ForcedLeak prompt injection against Salesforce Agentforce via Web-to-Lead CRM exfiltration

Technical Analysis
First: 25.09.2025 19:15 Last: 25.09.2025 19:15 Sources 1

How related: Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection.

About this happening: **Salesforce Agentforce** was shown to be vulnerable to **ForcedLeak**, a **prompt-injection** technique that abuses **Web-to-Lead** forms to push **CRM data exfiltration** throug...

Open Happening

Timeline

  1. 25.09.2025 18:17 2 articles · 8mo ago

    Salesforce re-secures domains and enforces Trusted URL allowlists

    Mitigation Patch Update

    Salesforce re-secured the expired domain and rolled out patches that prevent Agentforce and Einstein AI agent output from being sent to untrusted URLs by enforcing a Trusted URL allowlist, adding a defense-in-depth control against prompt-injection-driven data leakage from customer systems.

    Show sources
    Open in new tab
  2. 28.07.2025 03:00 1 articles · 10mo ago

    ForcedLeak disclosed in Salesforce Agentforce

    Initial Disclosure

    Noma Security disclosed ForcedLeak, a critical 9.4 flaw in Salesforce Agentforce affecting organizations with Web-to-Lead enabled, and showed that a malicious Description field submission could use indirect prompt injection to make the agent execute hidden instructions, query CRM data, and exfiltrate sensitive information to a Salesforce-related allowlisted domain that had expired and become available for purchase.

    Show sources
    Open in new tab