ForcedLeak Flaw in Salesforce Agentforce Exposes CRM Data via Prompt Injection
A critical flaw, named ForcedLeak, has been discovered in Salesforce Agentforce that enables indirect prompt injection, risking the exposure of sensitive Customer Relationship Management (CRM) data. Researchers at Noma Labs revealed this vulnerability, which carries a Critical Vulnerability Severity Score (CVSS) of 9.4.
The ForcedLeak vulnerability affects organizations using Salesforce Agentforce with the Web-to-Lead functionality enabled. This critical bug allows attackers to exploit weaknesses in context validation, overly permissive AI model behavior, and a Content Security Policy (CSP) bypass to exfiltrate sensitive CRM data through an indirect prompt injection attack.
According to the report published by Noma Labs, attackers can create malicious Web-to-Lead submissions that execute unauthorized commands when processed by Agentforce. The Long-Short-Term Memory (LLM) model, operating as a straightforward execution engine, lacks the ability to distinguish between legitimate data loaded into its context and malicious instructions that should only be executed from trusted sources, resulting in critical sensitive data leakage.
Prompt injection comes in two flavors: In this case, an adversary can put malicious text into a web form that lands in the CRM. When staff ask the AI about the lead, the model pulls that stored, poisoned content and follows the hidden instructions as part of its prompt. Researchers discovered that Salesforce Agentforce's Web-to-Lead forms could be abused for indirect prompt injection.
After confirming the AI responded to general queries, they identified the "Description" field (42,000 characters) as an ideal payload vector. By crafting realistic employee interactions, attackers triggered malicious payload execution. Critically, Salesforce's Content Security Policy included an expired whitelisted domain, allowing attackers to exfiltrate sensitive CRM data via trusted channels.
Salesforce has since patched the issue and enforced allowlist controls. However, researchers built a proof-of-concept showing how an attacker can force Agentforce to leak CRM data. The payload asks harmless questions then instructs the model to list leads' email addresses (encoding spaces as %20) and embed them in an tag pointing to an attacker URL.
When an employee queries the lead, the AI follows the hidden instructions, the browser requests the image URL, and the attacker's server logs the exfiltrated data. The researchers ran a monitoring server on Amazon Lightsail to capture and analyze those incoming requests.
The Consequences of Inaction
"As AI platforms evolve toward greater autonomy, we can expect vulnerabilities to become more sophisticated," concludes the report. "The ForcedLeak vulnerability highlights the importance of proactive AI security and governance." The report emphasizes that even a low-cost discovery can prevent millions in potential breach damages.
Preventing AI-Related Breaches
"Don't let your AI agents become your biggest security vulnerability," warns the report. Organizations must take proactive steps to secure their AI systems, including implementing robust security measures, conducting regular vulnerability assessments, and staying informed about emerging threats like ForcedLeak.
Stay vigilant and stay informed. Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest news on AI security and other cybersecurity topics.