Salesforce Patches Critical “ForcedLeak” Flaw in Agentforce That Could Expose CRM Data via Indirect Prompt Injection

What happened

Cybersecurity researchers at Noma Security disclosed a critical vulnerability in Salesforce Agentforce — the vendor’s platform for building AI-driven agents — that could allow attackers to exfiltrate sensitive information from a connected Salesforce CRM instance by leveraging an indirect form of prompt injection. The issue, tracked by Noma as “ForcedLeak” and assigned a CVSS score of 9.4, was patched by Salesforce following disclosure.

ForcedLeak (CVSS 9.4): an indirect prompt-injection pathway that can cause agent behavior to reveal protected CRM data to an adversary.

Background and context: why this matters

Prompt injection is a class of attacks specific to systems that use large language models (LLMs) or other generative AI components. In a prompt injection, an attacker places crafted content into an input channel or retrieval source that an AI model ingests; the malicious content then causes the model to ignore intended constraints or to disclose information it should not.

Agent platforms such as Salesforce Agentforce are designed to let organizations build automated assistants that can retrieve, synthesize and act on CRM data. That tight integration is also what makes such platforms attractive targets: CRM systems routinely contain personally identifiable information, financial records, sales and support histories, and other business-sensitive material. A successful exfiltration attack against an agent that has access to CRM data could expose a broad range of confidential records.

Technical overview and practitioner analysis

The disclosure characterizes ForcedLeak as an indirect prompt injection. In practice, indirect injections occur when an adversary cannot directly feed prompts into the model’s chat interface but can influence content the agent retrieves as part of its decision-making process (for example, external documents, knowledge-base articles, or user-submitted records). When that retrieved content is not properly sanitized or constrained, it can contain instructions that the agent follows, resulting in disclosure or other unsafe behaviors.

• Attack surface: Agents that autonomously retrieve context from CRM records, knowledge bases, or external web sources expand the attack surface. Any of those sources can carry crafted payloads.
• Privilege chaining: The agent’s permissions determine how much sensitive data an adversary might obtain. An agent with broad read access to CRM objects is far more valuable to an attacker than one limited to a small, non-sensitive scope.
• Failure modes: Common failure modes include lack of content validation, insufficient separation between instruction and data, and automated actioning of model outputs without human confirmation.

For security teams, the core takeaway is that the presence of an LLM or AI agent in the data flow introduces new trust boundaries. Traditional application filtering and role-based controls remain necessary but are not always sufficient to mitigate attacks that target the model’s interpretive behavior.

Comparable incidents and industry context

Prompt-injection attacks and other adversarial interactions with LLMs have been a recurring topic in security research since the widespread adoption of LLM-based systems. Researchers and practitioners have demonstrated ways that malicious inputs or manipulated retrieval sources can alter model behavior or cause information disclosure. These investigations have prompted vendors and customers to treat agent and retrieval pipelines with similar scrutiny to web and API attack surfaces.

More broadly, the security community has repeatedly emphasized that AI introduces new operational risks even as it automates tasks previously done by humans. Organizations that expose sensitive systems to AI-driven automation should anticipate targeted adversaries attempting to manipulate those systems’ data flows.

Practical recommendations and mitigations

Responding to ForcedLeak and preventing similar issues requires coordinated product updates from vendors and defensive controls from customers. The following recommendations are aimed at practitioners building or operating AI agents connected to CRM or other sensitive data sources.

• Apply vendor patches immediately. When a vendor issues a patch for an identified vulnerability, prioritize validation and deployment in production and staging environments.
• Minimize agent privileges. Use least-privilege principles for agent credentials and limit read/write scopes to only the data required for the agent’s task.
• Harden retrieval pipelines. Treat any content pulled into an agent’s context as untrusted. Implement sanitization, content-type validation, and explicit instruction/data separation before model consumption.
• Use content filters and information policies. Employ deterministic rule-based filters and data-loss-prevention (DLP) controls on model outputs as a secondary check against inadvertent disclosure.
• Require human-in-the-loop for sensitive actions. Avoid granting agents the ability to autonomously export, email, or otherwise share sensitive records without human review or multi-step confirmation.
• Monitor and log agent interactions. Maintain detailed audit trails of agent queries, retrieved context, and outputs. Use anomalous-behavior detection to surface unusual access or unusual content in retrievals.
• Rotation and isolation of credentials. Ensure agent credentials are short-lived, monitored, and stored in dedicated secrets management systems; isolate agent service accounts from other critical services.
• Adversarial testing and red teaming. Incorporate prompt-injection scenarios and retrieval-targeted tests into regular security assessments and threat models for AI agents.
• Network and application controls. Apply network segmentation, API rate limits, and WAF or gateway controls to reduce the ability of an attacker to manipulate the agent’s external inputs at scale.

Implications and risk assessment

A CVSS score of 9.4 denotes critical severity: a flaw with high exploitability and potential for significant impact. For organizations using Agentforce or similar platforms, the primary risks include unauthorized disclosure of customer and employee data, regulatory and compliance exposure, reputational damage, and potential financial costs tied to incident response and remediation.

Beyond the immediate technical remediation, boards and security leadership should consider this class of vulnerability in broader operational risk models for AI adoption. That means updating procurement checklists, contractual security requirements, and incident-response plans to account for AI-specific attack vectors such as prompt injections, data-poisoning and manipulation of retrieval sources.

Conclusion

ForcedLeak serves as a reminder that integrating generative AI with sensitive business systems creates new, adversary-accessible attack surfaces. Salesforce’s patch addresses the immediate flaw disclosed by Noma Security, but organizations must combine timely vendor updates with operational controls: least privilege, retrieval sanitization, output filtering, human review for sensitive actions, and monitoring. Treat AI agents as a new class of sensitive system in enterprise threat models and build layered defenses accordingly.

Source: thehackernews.com