ForcedLeak Vulnerability in Salesforce Agentforce Exposed CRM Data Through Indirect AI Prompt Injection
Published
- Critical vulnerability: ForcedLeak, a critical severity (CVSS 9.4) vulnerability chain in Salesforce Agentforce, was discovered
- Attack method: The vulnerability enabled the exfiltration of sensitive CRM data through an indirect AI agent prompt injection attack.
- Mitigation: Salesforce has addressed the immediate risk by releasing patches that enforce Trusted URLs for Agentforce and Einstein AI agents.
A critical vulnerability chain in Salesforce Agentforce, named ForcedLeak, exposed organizations to potential CRM data breach risks. The vulnerability demonstrated how autonomous AI agents introduce a novel and expanded attack surface, enabling attackers to exfiltrate sensitive data through indirect prompt injection.
Discovery and Impact of ForcedLeak
Noma Security has disclosed the ForcedLeak vulnerability, rated with a CVSS score of 9.4, which impacted organizations using Salesforce Agentforce with the Web-to-Lead functionality enabled.
The attack path involved an attacker embedding malicious instructions within the "Description" field of a Web-to-Lead submission form. When an internal employee later used the artificial intelligence (AI) agent to process the lead, the agent would inadvertently execute the hidden malicious commands.
This allowed the AI agent, which had trusted access to the CRM, to be manipulated into extracting sensitive information, such as customer contact details and sales pipeline data.
A critical component of the attack was the discovery of an expired domain (my-salesforce-cms.com) that was still whitelisted in Salesforce's Content Security Policy (CSP). By re-registering this domain, Noma Security researchers created a trusted channel to exfiltrate the stolen CRM data, bypassing standard security controls.
“Indirect Prompt Injection is basically cross-site scripting, but instead of tricking a database into doing or divulging things it shouldn’t, the attackers get the inline AI to do it; it is like a mix of scripted attacks and social engineering,” said Andy Bennett, Chief Information Security Officer at Apollo Information Systems.
“The innovation is impressive and the impacts are potentially staggering depending on the breadth of deployment in the wild of AI models/agents that might be susceptible to this sort of attack.”
Mitigation and Broader AI Security Implications
Upon being notified by Noma Security on July 28, 2025, Salesforce investigated the issue and subsequently deployed patches by September 8, 2025. The fix prevents Agentforce agents from sending output to untrusted URLs, addressing the immediate exfiltration risk.
The incident highlights significant concerns surrounding Salesforce Agentforce security and the broader field of AI agent prompt injection. It proves that AI agents can be compromised through malicious instructions hidden within trusted data sources, blurring the lines between legitimate data and adversarial commands.
Noma Security advises organizations to apply the recommended Salesforce patches, audit lead data for suspicious instructions, and implement strict input validation to protect against similar threats.
“It's advisable to secure the systems around the AI agents in use, which include APIs, forms, and middleware, so that prompt injection is harder to exploit and less harmful if it succeeds,” added Chrissa Constantine from Black Duck.
“True prevention is around maintaining configuration and establishing guardrails around the agent design, software supply chain, web application, and API testing as these are the complementary controls to consider in order to achieve true scale application security.”
Elad Luz, Head of Research at Oasis Security, added:
- Know each agent’s access (and avoid toxic combos)
- Own your allowlist (and verify ownership)
- Sanitize external input before the agent sees it
- Track your vendors and their advisories
Mayuresh Dani, Security Research Manager at Qualys, also recommends enforcing strict tool-calling security guardrails to detect prompt injection in real-time, as well as rigorous security validation and threat modeling of all AI agents.
In mid-September, the FBI issued an alert on Salesforce breaches by UNC6040 and UNC6395 cybercriminal groups, which impacted several companies – some via the compromise of third-party application integrations.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular