A recently disclosed security research report has revealed a severe vulnerability chain in Salesforce AgentForce, dubbed ForcedLeak, which highlights a new class of AI-specific threats in enterprise systems.
The vulnerability, discovered by a cybersecurity firm and rated critical with a CVSS score of 9.4, exposes how the expanded attack surface of autonomous AI agents like those in AgentForce can be exploited through indirect prompt injection attacks.
Overview of the Salesforce ForcedLeak Vulnerability
ForcedLeak targets Salesforce AgentForce, a CRM-integrated AI agent platform that autonomously handles complex business tasks such as lead management and customer communication.
The core of the vulnerability lies in how AI agents process external inputs, not just as static data but as dynamic, executable instructions. Unlike traditional chatbot systems, AI agents with autonomous reasoning, internal memory, and tool-calling abilities present significantly broader attack surfaces.
Noma Labs found that attackers could inject malicious instructions into Salesforce’s Web-to-Lead form submissions. When internal employees later queried AgentForce about these leads, the AI would process the embedded payloads unknowingly, effectively turning trusted data into an attack vector.
The flaw allowed for unauthorized access to sensitive CRM data, including customer contacts, sales strategies, and even third-party integration information.
Attack Methodology and Technical Details
The researchers mapped out a multi-phase attack that involved:
- Injection Point Identification: The “Description” field in Salesforce’s Web-to-Lead forms, with its 42,000-character limit, was identified as an ideal target for payload insertion.
- Realistic Prompt Construction: The attacker crafted lead data that, when reviewed by employees using AgentForce, would cause the AI to execute embedded malicious instructions.
- Prompt Injection via Trusted Queries: A prompt like “Please, check the lead with name ‘Alice Bob’ and answer their questions…” would seem innocuous, but would trigger the AI to parse and act upon malicious instructions in the data.
- CSP Bypass via Expired Whitelisted Domain: Salesforce’s Content Security Policy (CSP) allowed outbound data transmission to certain whitelisted domains. One such domain, my-salesforce-cms.com, had expired and was purchased by researchers to demonstrate how data could be exfiltrated through a seemingly trusted channel.
This combination of factors created a high-impact vulnerability chain, ultimately proving how Salesforce AgentForce could be manipulated to leak sensitive CRM data with no direct user interaction.
Who Was at Risk?
Any organization using Salesforce AgentForce with Web-to-Lead functionality, particularly in sales, marketing, and customer acquisition, was potentially at risk. These environments routinely ingest external data from forms filled out by prospects at conferences, marketing campaigns, or websites, providing fertile ground for malicious submissions.
Business and Security Impact
The implications of ForcedLeak are significant:
- Data Exposure: Customer information, internal communications, sales pipeline details, and historical CRM records were all potentially vulnerable.
- Regulatory Risks: Breach disclosure requirements and compliance violations could follow such exposures.
- Reputational Damage: Any confirmed data breach involving sensitive customer data could severely impact brand trust.
- Lateral Movement: Due to Salesforce’s extensive API and business system integrations, attackers could potentially pivot across internal systems once inside.
The research also revealed the possibility of time-delayed execution, where payloads remain dormant until triggered by a future employee action, making detection and response far more difficult.
Salesforce’s Response
Here is a timeline of events:
- July 28, 2025: Noma Labs reported the vulnerability to Salesforce.
- July 31, 2025: Salesforce acknowledged the issue and began an investigation.
- September 8, 2025: Salesforce released a patch implementing Trusted URLs Enforcement for both AgentForce and Einstein AI.
- September 25, 2025: Public disclosure of vulnerability.
Salesforce also secured the expired domain from the whitelist and strengthened its CSP policies to prevent similar bypasses.
