PipeLeak prompt injection let attackers exfiltrate Salesforce Agentforce CRM data via forms
Capsule Security disclosed PipeLeak, an indirect prompt injection vulnerability in Salesforce Agentforce, on April 15, 2026. An external attacker could submit malicious instructions via a public CRM lead form, causing the Agentforce agent to retrieve sensitive lead data and send it to the attacker by email. Salesforce stated it remediated the specific scenario and characterized the issue as configuration-specific rather than a platform-level vulnerability.
A single line of text in a public lead form turned Agentforce into a data pipeline because the agent could not tell instructions from input.
Key facts
- What
- Capsule Security disclosed PipeLeak, an indirect prompt injection vulnerability in Salesforce Agentforce, on April 15, 2026.
- Incident date
- Apr 15, 2026
- Who
- Salesforce
- Failure mode
- Prompt Injection
- AI surface
- Agentic Workflow
- Severity
- High
What happened
On April 15, 2026, Capsule Security published research on PipeLeak, an indirect prompt injection vulnerability in Salesforce Agentforce. An unauthenticated external attacker could submit a malicious instruction through a public-facing CRM lead capture form. When an internal user asked the agent to process that lead, Agentforce executed the injected text as a system directive, called the GetLeadsInformation function to retrieve sensitive CRM records, and emailed the data to an attacker-controlled address. Salesforce acknowledged the issue and stated it had remediated the specific scenario, but classified it as configuration-specific rather than a platform vulnerability.
What broke inside the model
- 01 · TriggerThe model reads retrieved or user-supplied text.
- 02 · Model stepThat text carries hidden instructions.
- 03 · Control gapNothing separates untrusted data from trusted commands.
- 04 · FailureThe injected instruction overrides the operator's.
- 05 · ConsequenceThe system acts on an outsider's intent.
At the injection point, retrieved text overrides the operator's instruction.
Agentforce Agent Flows processed lead form inputs as trusted instructions rather than untrusted data, failing to separate user-supplied content from system directives. The AI agent could not distinguish between legitimate system prompts and attacker-injected text, so a single line of malicious input in a form field was sufficient to override the agent's intended behavior and instruct it to exfiltrate CRM records via email.
What it cost
Sources
- PrimaryPipeLeak: The Lead That Stole Your Database - Exploiting Salesforce Agentforce With Indirect Prompt Injectioncapsule.security
- PressMicrosoft, Salesforce Patch AI Agent Data Leak Flawsdarkreading.com
- PressCopilot and Agentforce fall to form-based prompt injection trickscsoonline.com
Cite this entry
https://failureindex.ai/failures/pipeleak-prompt-injection-let-attackersAI Failure Index. "PipeLeak prompt injection let attackers exfiltrate Salesforce Agentforce CRM data via forms" (FI-0179). Realm Labs. https://failureindex.ai/failures/pipeleak-prompt-injection-let-attackers (indexed Jun 4, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0179. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.