Cybersecurity researchers have disclosed a major flaw in Salesforce Agentforce, a platform designed for building AI-powered agents. The vulnerability, codenamed ForcedLeak (CVSS score: 9.4), could have enabled attackers to exfiltrate sensitive data from Salesforce’s CRM system using an indirect AI prompt injection.
The issue was discovered and reported by Noma Security on July 28, 2025. It affects organizations using Agentforce with the Web-to-Lead functionality enabled.
How ForcedLeak Works
According to Sasi Levi, security research lead at Noma, ForcedLeak highlights how AI agents expand the attack surface beyond traditional prompt-response systems. Unlike typical input manipulation, this flaw exploits hidden instructions within legitimate data sources.
The attack method is simple yet effective. By inserting malicious instructions into the Description field of a Web-to-Lead form, attackers could trick Agentforce into executing unauthorized commands. The stolen data would then be exfiltrated to a Salesforce-related domain that had expired and could be purchased cheaply by attackers.
Five Steps of the Attack:
- Attacker submits Web-to-Lead form with a malicious Description.
- Employee processes the lead using an AI query.
- Agentforce executes both legitimate and malicious instructions.
- System retrieves sensitive CRM lead data.
- Data is transmitted to the attacker-controlled domain in the form of a PNG image.
Noma’s research noted that this exploit succeeded because of weak context validation, overly permissive AI model behavior, and a Content Security Policy (CSP) bypass.
Salesforce Response
Salesforce quickly moved to mitigate the issue. The company re-secured the expired domain and introduced patches that prevent Agentforce and Einstein AI agents from sending output to untrusted URLs.
A new Trusted URL allowlist mechanism was added to enforce stricter outbound request validation. This ensures that even if prompt injection occurs, data cannot be transmitted to unauthorized domains.
Recommendations for Users
Security experts recommend that Salesforce customers:
- Enforce Salesforce’s Trusted URL allowlist.
- Audit existing Web-to-Lead submissions for suspicious instructions.
- Implement strict input validation and sanitization for untrusted data sources.
Broader Implications
The ForcedLeak attack is considered a variant of the previously disclosed EchoLeak (CVE-2025-32711), which enabled zero-click AI data exfiltration. According to Itay Ravia, head of Aim Labs, this confirms that RAG-based agents across multiple platforms are vulnerable to similar attacks.
“These vulnerabilities are endemic to agent-based AI systems and will continue to surface unless stronger guardrails and governance measures are put in place,” Ravia explained.
Conclusion
The ForcedLeak vulnerability is a clear reminder that AI-powered platforms must adopt proactive security and governance strategies. What may seem like a low-cost vulnerability could easily lead to millions in damages if exploited at scale.
