- A critical vulnerability, named ForcedLeak, has been discovered in Salesforce’s Agentforce AI platform.
- The flaw could allow attackers to steal sensitive data from customer management systems using indirect prompt injection.
- The issue affects organizations using Agentforce with Web-to-Lead functionality enabled.
- Salesforce has secured the affected domain and released security patches, adding controls to block data leaks to untrusted destinations.
- Users are advised to enforce stricter input validation, monitor for suspicious data, and adopt recommended security measures.
Security researchers reported a major flaw in the Salesforce Agentforce platform on July 28, 2025. The vulnerability, called ForcedLeak, could let attackers pull sensitive information from the company’s CRM by tricking the AI system through indirect prompt injection.
ForcedLeak, which received a severity score of 9.4 out of 10, threatens any company using the Agentforce platform with its Web-to-Lead form feature. The bug, discovered by Noma Security, takes advantage of the way AI agents process and respond to instructions embedded in external data.
“This vulnerability demonstrates how AI agents present a fundamentally different and expanded attack surface compared to traditional prompt-response systems,” said Sasi Levi, security research lead at Noma. According to the researchers, attackers could submit a Web-to-Lead form containing hidden instructions in the Description field. When an employee processes this lead using the AI, the system may run these malicious instructions without knowing the difference, resulting in accidental data leaks.
The attack works by transmitting stolen information to a domain previously allowed by Salesforce’s security settings. This domain had expired and was purchased by the attacker for only $5. The data was then exfiltrated as a PNG image to this domain. The process exploits weak context checking, overly broad AI model behavior, and a way around existing security policies.
Salesforce has reclaimed the expired domain and released patches to strengthen the system. Now, Agentforce and Einstein AI agents will limit content sharing to trusted URLs only, using an official allowlist.
“Our underlying services powering Agentforce will enforce the Trusted URL allowlist to ensure no malicious links are called or generated through potential prompt injection,” Salesforce said in a recent alert. The company recommends that users apply these controls, review current lead data for suspicious entries, and add stronger input validation and data cleaning steps.
Security experts view ForcedLeak as a reminder for organizations to maintain proactive AI security. Sasi Levi adds: “It serves as a strong reminder that even a low-cost discovery can prevent millions in potential breach damages.” For more information, the initial advisory is available here. More technical details can be found in Noma’s full report here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Russell 2000 Hits Record, Sparking Hopes for New Crypto Altseason
- Silver Surges Amid Growing Retail Interest, Eyes $100 per Ounce Mark
- BOS Unveils Grail Pro to Activate Dormant Institutional Bitcoin
- Goldman Sachs Slashes Copper Supply Forecasts After Grasberg Halt
- Justin Sun Clashes With World Liberty Over WLFI Token Blacklisting
