What Happened
Noma Labs found a critical chain in Salesforce Agentforce where an attacker submits a Web-to-Lead form with malicious instructions buried in the description field, which allows tens of thousands of characters. When an employee later asked the AI to process that lead through normal workflows, the agent executed both the legitimate request and the attacker's hidden commands. An expired but still-allowlisted domain in Salesforce's content security policy provided a trusted channel to smuggle the stolen CRM data out via image requests.
Impact
Any organization using Agentforce with Web-to-Lead enabled could have lead and CRM data exfiltrated by an unauthenticated external party. Salesforce (CVSS 9.4) re-secured the expired domain and rolled out Trusted URL enforcement for Agentforce and Einstein AI.
How to Prevent This
- Sanitize and length-limit externally submitted fields before any AI agent ingests them
- Maintain and continuously audit CSP allowlists, removing expired or lapsed domains that can be re-registered
- Constrain agent context so it cannot act on instructions embedded in unrelated record data
- Require explicit human approval before agents transmit data to any external destination
- Separate trusted operator instructions from untrusted record content at the architecture level