Critical Flaw in Salesforce AI Agent Enables Data Exfiltration

A critical CVSS 9.4 vulnerability in Salesforce’s Agentforce AI platform, dubbed “ForcedLeak,” enables attackers to perform indirect prompt injection via Web-to-Lead forms, leading to potential exfiltration of customer data.

Salesforce customers have been urged to patch immediately after cybersecurity researchers at Noma Labs uncovered a severe vulnerability in the Agentforce AI platform that could allow threat actors to siphon sensitive customer information.

Dubbed ForcedLeak, the flaw impacts Salesforce’s Web-to-Lead functionality and carries a CVSS score of 9.4, indicating maximum severity.

How the Attack Works

The Web-to-Lead feature enables the automatic capture of prospect information through online forms at conferences and marketing campaigns.

Attackers exploit ForcedLeak to embed malicious instructions within apparently benign lead submissions.

When employees later query Agentforce about captured data, the AI agent inadvertently executes these hidden commands.

Unlike conventional chatbots, Agentforce is an autonomous AI agent engineered to reason, plan, and execute complex workflows.

Its expanded capabilities, spanning knowledge bases, internal memory, connected tools, and external systems, introduce a substantially larger attack surface.

ForcedLeak leverages indirect prompt injection, inserting multi-step instructions into data that the AI interprets as legitimate.

Technical Exploitation Details

Noma Labs researchers identified the Description field of the Web-to-Lead form as the optimal injection vector due to its generous 42,000-character limit.

The exploit chain hinges on three critical weaknesses:

1. Context Validation Failures: The AI agent processed data outside its intended scope, failing to distinguish between user-provided content and executable instructions.
2. Overly Permissive Model Behavior: Agentforce could not effectively filter out malicious payloads disguised as legitimate input.
3. Content Security Policy Bypass: An expired whitelisted domain (my-salesforce-cms.com) persisted in Salesforce’s configuration, allowing exfiltrated data to be transmitted to an attacker-controlled endpoint.

The expired domain’s trusted status was exploited to establish covert channels, enabling attackers to receive stolen customer contact details, sales pipeline records, internal communications, and historical interaction logs.

Organizations leveraging Salesforce Agentforce within sales, marketing, and customer acquisition workflows face an acute risk of data compromise.

Upon notification in July 2025, Salesforce launched an immediate investigation and issued patches by September 2025. Key mitigation steps include:

• Trusted URLs Enforcement: Restrict Agentforce and Einstein AI output transmissions to vetted endpoints only.
• Expired Whitelist Revocation: Remove or re-secure outdated domains from Content Security Policies.
• Input Validation and Sanitization: Implement strict checks on all incoming Web-to-Lead submissions to filter suspicious content.
• Data Auditing: Review existing lead records for anomalous instruction sequences or unusually long entries in the Description field.

This incident underscores the unique security challenges posed by AI agents within enterprise environments.

Traditional threat modeling and controls fall short when AI systems autonomously process complex instructions.

As AI integration in business workflows accelerates, organizations must adopt AI-centric security frameworks that encompass prompt hygiene, memory sanitization, and continuous model behavior monitoring to guard against novel attack vectors.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Critical Flaw in Salesforce AI Agent Enables Data Exfiltration appeared first on Cyber Security News.