Particle.news
Download on the App Store
5 ARTICLES
·
last wk.

Salesforce Patches 'ForcedLeak' in Agentforce After Researchers Expose AI-Driven Data Leak Risk

Public disclosure underscores how autonomous agents can execute hidden instructions embedded in routine CRM inputs.

Salesforce Agentforce hit by Noma "ForcedLeak" exploit
Image
ForcedLeak Flaw in Salesforce Agentforce AI Agent Exposed CRM Data
Image

Overview

  • Noma Security reported the issue on July 28 and published details on September 25 after Salesforce enforced Trusted URL allowlists by September 8 for Agentforce and Einstein AI.
  • Researchers showed an indirect prompt injection via the Web-to-Lead Description field that caused the agent to run concealed commands and package CRM data into an image request.
  • The exfiltration route relied on an expired Salesforce-related allowlisted domain that the team re-registered for about $5, which Salesforce has since re-secured.
  • At risk were high-value records such as customer contacts, sales pipeline details and internal communications, according to the proof-of-concept.
  • Salesforce and security experts advise customers to enforce Trusted URLs, audit lead submissions for unusual instructions, validate and sanitize inputs, and apply stricter tool-calling guardrails.