Salesforce Agentforce Flaw Lets Hackers Steal CRM Data

Security researchers at Noma Labs uncovered a critical vulnerability, dubbed ForcedLeak, in Salesforce Agentforce that allows attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw, rated CVSS 9.4, specifically affects organizations using Agentforce with Web-to-Lead functionality enabled. Exploiting gaps in context validation and AI behavior, adversaries can embed malicious instructions in web form fields, which the AI later interprets as trusted input.

The Salesforce Agentforce flaw leverages the AI’s inability to distinguish between genuine data and embedded commands. Attackers used the “Description” field to insert prompts that instructed the AI to extract lead email addresses and send them to an external server. A proof-of-concept demonstrated how this data could be exfiltrated using a crafted HTML image tag. Researchers also discovered a misconfigured Content Security Policy that allowed data to exit through expired whitelisted domains.

Salesforce patched the issue in September. Read the full report here:

ForcedLeak flaw in Salesforce Agentforce exposes CRM data via Prompt Injection