Salesforce to Enforce Trusted URLs for Agentforce and Einstein AI Against Prompt Injection
Published
- Enforcement Deadline: Salesforce mandates the use of Trusted URL allowlists for Agentforce and Einstein Generative AI agents.
- Principle of least privilege: The update enforces administrator-controlled domain allowlists to prevent agents from generating or calling unapproved external URLs.
- Required user action: Administrators must add all necessary external domains used by their AI agents to the Salesforce Trusted URLs list to avoid service disruption.
Salesforce announced a mandatory security update that will enforce Trusted URL allowlists for its Agentforce and Einstein Generative AI services. The change is designed to prevent malicious link generation and potential data exfiltration resulting from prompt injection attacks.
Impact of the Security Update
Salesforce published a security enforcement last week, which announced that “starting September 8, 2025,” the new enforcement policy requires that any external URL generated or called by an AI agent must be explicitly pre-approved by an administrator – which is managed through Salesforce's existing Trusted URLs feature or via agent-specific instructions.
The primary goal of this Agentforce security update, which is a critical step in strengthening platform security and adhering to the "principle of least privilege," is to ensure that agents cannot create links to unapproved domains, thereby safeguarding sensitive data within the Salesforce ecosystem.
Workflows that could be affected include those where agents generate images from external domains, link to third-party documentation, or create responses containing any URL not on the allowlist.
If a domain is not approved, the link generated by the agent will be blocked, which may disrupt agent functionality.
This proactive measure significantly enhances Einstein AI security by providing a defense-in-depth control against unauthorized external requests.
Administrator Action Required
To prevent disruption, Salesforce administrators must immediately review their agent workflows and add all external domains to their organization's Salesforce Trusted URLs list.
This includes URLs for services like external feedback forms, knowledge bases, or any other third-party system that agents need to reference.
How to Add Salesforce Trusted URLs
Standard Salesforce org URLs are allowed by default. Configuration is handled in the Setup menu under "Trusted URLs," where new domains can be added and appropriate CSP directives applied.
- Navigate to Setup in Salesforce Org
- Type "Trusted URLs" and select Trusted URLs in the Quick Find box
- Click New Trusted URL to add a new domain
- or Edit an existing one
- Enter the URL – you can use the wildcard character * (asterisk) to reduce repetition (e.g., *.example.com)
- Select the appropriate CSP directives for the trusted URL, such as img-src (images), if your agent generates images from that domain
Ensure you have the "Customize Application" and "Modify All Data" user permissions to create, read, update, and delete Trusted URLs. URLs added to the allowlist are permitted throughout the entire Salesforce Org, not just for the agents
On Friday, TechNadu reported about a ForcedLeak vulnerability in Salesforce Agentforce that exposed CRM data through indirect AI prompt injection, offering mitigation recommendations and patches.
In mid-September, the FBI issued an alert on Salesforce breaches by UNC6040 and UNC6395 cybercriminal groups, which impacted several companies.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular