The Gaming Boardroom

Salesforce AI Agents Forced to Leak Sensitive Data

Steve Tyler Leave a comment

Salesforce AI Agents Forced to Leak Sensitive Data

Summary

Researchers at Noma Security discovered a critical prompt-injection chain they call “ForcedLeak” that can trick Salesforce’s Agentforce autonomous agents into exfiltrating CRM data. The flaw behaves like an AI-era cross-site scripting: an attacker injects malicious instructions into a Web-to-Lead form and a later-running agent processes those instructions and leaks internal information. The issue earned a 9.4/10 CVSS score.

Noma showed how an expired, whitelisted domain could be used as a receiver for stolen data; Salesforce has since reclaimed the domain and tightened trusted-URL handling, but deeper structural defences around prompt filtering and instruction handling remain a work in progress.

Key Points

  • Noma Security named the technique “ForcedLeak” — a prompt-injection chain that leads to data exfiltration via Agentforce agents.
  • The vulnerability scores 9.4 on CVSS, indicating critical impact for exposed systems.
  • Attackers can embed malicious prompts in Web-to-Lead forms; when agents process those prompts they may leak internal CRM data to attacker-controlled domains.
  • A content-security whitelist (including an expired domain) was abused to bypass simple safeguards; Salesforce has reclaimed that domain and patched trusted-URL handling.
  • Salesforce says it released patches to prevent output being sent to untrusted URLs, but robust prompt-filtering and architectural fixes are still needed.

Context and Relevance

As legacy SaaS vendors add agentic AI features to their platforms, prompt-injection and agent manipulation become a new attack vector for leaking highly sensitive CRM content: notes, call logs, transaction history and personal details. Such data is exceptionally valuable for tailored social-engineering campaigns and lateral movement inside organisations. This incident highlights a broader industry problem: securing AI instruction boundaries and trusted resources in production SaaS deployments.

Why should I read this?

Look, this is the kind of clever-but-dodgy trick that hands attackers your customer list on a plate. If your org uses Salesforce Agentforce (or any autonomous agents tied to web inputs), you need to know how simple form fields can be weaponised. Reading this will save you from thinking “that won’t happen to us” — it can, and it moves fast.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-leak-sensitive-data

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.