Prompt InjectionCritical

ForcedLeak: Indirect Prompt Injection Exfiltrates CRM Data From Salesforce Agentforce

Salesforce

What Happened

Noma Labs found a critical chain in Salesforce Agentforce where an attacker submits a Web-to-Lead form with malicious instructions buried in the description field, which allows tens of thousands of characters. When an employee later asked the AI to process that lead through normal workflows, the agent executed both the legitimate request and the attacker's hidden commands. An expired but still-allowlisted domain in Salesforce's content security policy provided a trusted channel to smuggle the stolen CRM data out via image requests.

Impact

Any organization using Agentforce with Web-to-Lead enabled could have lead and CRM data exfiltrated by an unauthenticated external party. Salesforce (CVSS 9.4) re-secured the expired domain and rolled out Trusted URL enforcement for Agentforce and Einstein AI.

How to Prevent This

  • Sanitize and length-limit externally submitted fields before any AI agent ingests them
  • Maintain and continuously audit CSP allowlists, removing expired or lapsed domains that can be re-registered
  • Constrain agent context so it cannot act on instructions embedded in unrelated record data
  • Require explicit human approval before agents transmit data to any external destination
  • Separate trusted operator instructions from untrusted record content at the architecture level

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment