The rush to deploy AI agents across enterprise workflows has introduced a new class of security risks that traditional defenses struggle to address. Recent vulnerabilities in two of the most widely used AI platforms — Salesforce Agentforce and Microsoft Copilot — highlight how prompt injection attacks can bypass safeguards and exfiltrate sensitive data.
PipeLeak: Salesforce Agentforce Vulnerability
Discovered by Capsule Security, the flaw in Salesforce Agentforce, dubbed "PipeLeak," allowed an attacker to embed malicious instructions into an untrusted lead capture form. When the AI agent processed the form, it interpreted the injected text as a trusted prompt, overriding its intended behavior. In a proof-of-concept demonstration, a single line of text instructed the agent to list all leads and send them to the attacker via email. No complex exploit code was required.
The vulnerability stemmed from a fundamental architectural issue: Agent Flows treated lead form inputs as trusted instructions rather than untrusted data. Since these forms are often public-facing and accept arbitrary text from unauthenticated users, attackers could easily inject prompts that changed the agent's actions.
Salesforce acknowledged the issue and stated that it is a configuration-specific problem, not a platform-level vulnerability. The company recommended that customers enable human-in-the-loop (HITL) oversight for email actions to prevent data leaks. However, security experts criticize this response, arguing that AI agents are designed to operate autonomously, and requiring manual oversight for every action undermines their purpose.
ShareLeak: Microsoft Copilot Flaw
In parallel, Capsule Security identified a similar vulnerability in Microsoft Copilot, tracked as CVE-2026-21520 and rated high severity (CVSS 7.5). Termed "ShareLeak," the attack leveraged SharePoint form inputs to inject malicious code into the connected Copilot instance. When triggered, the agent would retrieve customer data and send it to an attacker-controlled email. Even when safety mechanisms flagged the attack, data exfiltration still occurred.
This flaw also exploited the trust placed in form inputs. The injection command required more complexity than the Salesforce case, but the underlying principle was identical: the AI agent could not distinguish between trusted and untrusted instructions.
Microsoft addressed the vulnerability after receiving Capsule's report. The company has not broadly commented on the issue beyond confirming the patch.
The Persistent Threat of Prompt Injection
Prompt injection attacks have plagued large language models (LLMs) since their widespread adoption. They exploit the way LLMs process instructions — any text input can be interpreted as a command, even when it originates from an untrusted source. AI agents, which act on these instructions autonomously, amplify the risk because they can access sensitive data and communicate externally.
According to Naor Paz, co-founder and CEO of Capsule Security, the intersection of three conditions — an agent with access to sensitive data, exposure to untrusted content, and the ability to communicate externally — creates a "lethal trifecta" for data exfiltration. Both the Salesforce and Microsoft flaws met these conditions.
Paz criticized the vendors' reliance on human-in-the-loop configurations, stating that the whole appeal of AI agents is their autonomy. "The whole thing about agents is they do things for you without you babysitting them," he said. "They're running for days, writing code, querying production databases, and doing many dangerous things autonomously."
Industry Implications and Recommendations
The findings underscore that prompt injection is not a problem that can be solved with simple patches or configuration changes. It requires fundamental rethinking of how AI agents handle inputs. Researchers recommend treating all external form inputs as untrusted data, implementing strict input sanitization and prompt boundary techniques, and avoiding use of email tools when processing untrusted inputs. Logging all agent actions involving data access or external communication is also critical.
Salesforce stated that it continues to refine layered safeguards, including instruction isolation, tool-use restrictions, and human oversight. Microsoft has not detailed its long-term strategy for preventing prompt injection.
As organizations accelerate AI agent deployment, the security community warns that these vulnerabilities are only the beginning. The emergence of exploit tools like Anthropic's Claude Mythos could make prompt injection attacks more accessible to threat actors. Until vendors develop new approaches that match the unique risks of autonomous AI agents, data leaks will remain a persistent headache for security teams.
Source: Dark Reading News