Particle.news
Download on the App Store
3 ARTICLES
·
1h ago

Salesforce Patches 'ForcedLeak' Agentforce Flaw That Risked CRM Data Exfiltration

Researchers demonstrated an indirect prompt injection through Web-to-Lead that funneled records to an attacker-controlled domain left trusted by stale allowlist rules.

Image
ForcedLeak Flaw in Salesforce Agentforce AI Agent Exposed CRM Data
Image

Overview

  • Noma Security reported the issue on July 28 and disclosed it publicly on September 25 after Salesforce completed remediation.
  • The attack embedded hidden instructions in the Web-to-Lead Description field, prompting the AI agent to package sensitive data into an image URL for transmission.
  • The proof-of-concept routed data to my-salesforce-cms.com, an expired domain that remained allowlisted and could be cheaply purchased by an attacker.
  • Salesforce re-secured the domain and now enforces a Trusted URL allowlist for Agentforce and Einstein AI to block output to unapproved destinations.
  • The flaw carries a CVSS score of 9.4 and affects deployments using Web-to-Lead, with experts urging audits of lead submissions, strict input validation, and stronger agent guardrails.