A vulnerability in Agentforce, which could let external attackers exfiltrate sensitive CRM data, has been exposed.
Israeli cybersecurity startup Noma Security, which specializes in securing enterprise data and AI models against AI agents, announced on September 25 that they had discovered a “critical severity vulnerability chain” in Salesforce’s AI product.
Noma said that Salesforce was notified of the vulnerability, and the CRM giant acted immediately to investigate – and later released patches that prevent output in Agentforce agents from being sent to untrusted URLs.
Any organization using Agentforce with Web-to-Lead functionality enabled could have been impacted, particularly those in sales, marketing, and customer acquisition workflows where external lead data was regularly processed by AI agents, Noma said.
What Was the Vulnerability?
Noma enabled Salesforce’s Web-to-Lead feature – which lets external users, like website visitors or conference attendees, submit lead information that integrates with the CRM.
The vulnerability takes advantage of ‘indirect prompt injection’, where an attacker embeds malicious instructions in data that will later be processed by the AI when legitimate users interact with it.
Noma explained the Agentforce vulnerability in a blog post, writing: “In this scenario, the attacker exploits indirect prompt injection by embedding malicious instructions within data that the AI system will later retrieve and process.
“The attacker places malicious content in a web form, which gets stored in the system’s database. When employees subsequently query the AI about that lead data, the AI retrieves and processes the compromised information, inadvertently executing the hidden malicious instructions as if they were part of its original prompt.”
Noma claims that their research identified a number of critical components which contributed to the vulnerability, including “insufficient restrictions on query scope and context”; “inadequate sanitization of user-controlled data fields”; “overly permissive domain whitelist with expired assets”; and “predictable employee queries that trigger processing of attacker-controlled data”.
The cybersecurity firm – which raised $100M in a private funding round earlier this year – conducted initial tests focused on understanding Agentforce’s operational boundaries.
They submitted a number of queries to find out whether the system would process requests outside its intended domain.
The above example confirmed that Agentforce would process general knowledge queries unrelated to Salesforce data, suggesting insufficient context boundaries that could be exploited in prompt injection scenarios.
With this understanding, Noma then systematically analyzed Salesforce’s Web-to-Lead form fields to discover suitable injection points:
The Description field was the “ideal” injection point because of its substantial character limit, allowing for complex, multi-step instruction sets, Noma said.
The third step was developing realistic employee interaction scenarios which would naturally take place in a business environment – and trigger AI processing of the malicious content.
The above formulation appears as a standard business request while making sure that the AI processes both the employee’s instruction and the attacker’s embedded payload.
Noma says that the next phase – CSP Bypass Discovery – was “essential to the attack’s success”, because without bypassing the Content Security Policy, data exfiltration “would have been impossible”, meaning this discovery was one of the most critical components of the vulnerability chain.
Salesforce’s Content Security Policy was analyzed, and a critical oversight was revealed.
Noma explained the vulnerability: “The domain my-salesforce-cms.com was whitelisted but had expired and become available for purchase, creating a trusted exfiltration channel. Salesforce has re-secured the expired whitelist domain, mitigating the risk of potential exfiltration.
“Salesforce has also implemented additional security controls, including Trusted URLs Enforcement for Agentforce and Einstein AI, to ensure its trusted domains are appropriately maintained.
“Expired domains can be used by an attacker to bypass security controls and establish a seemingly legitimate communication pathway for data theft, as the expired domain retains its trusted status while being under malicious control. This is a crucial part of demonstrating how domain expiration could create significant security vulnerabilities in whitelist-based protection systems.”
The Final Payload
The final proof-of-concept payload showed how the vulnerability could be used to retrieve CRM data, which helped Noma confirm the security risk – and give Salesforce the information needed to develop a fix.
Noma established a monitoring server on Amazon Lightsail configured to log all incoming HTTP requests; parse URL parameters for extracted data; maintain persistent logs for analysis; and provide real-time attack notifications.
So the vulnerability could be exploited with the following execution flow:
- Initial Compromise: Attacker submits Web-to-Lead form with malicious Description.
- Realistic employee interaction: Internal employee processes lead using a standard AI query.
- Prompt Injection: Agentforce executes both legitimate and malicious instructions.
- Data Extraction: System queries CRM for sensitive lead information.
- Exfiltration: Generated image request transmits data to attacker-controlled server.
According to Noma, they discovered and reported the vulnerability to Salesforce on July 28, with the company responding and acknowledging on July 31. On September 8, Salesforce implemented Trusted URLs Enforcement for Agentforce and Einstein AI.
I Might Be Affected – What Do I Do Now?
If you think you might be impacted by the vulnerability, Noma recommends that you take the following actions:
- Immediately apply Salesforce’s recommended actions to enforce Trusted URLs for Agentforce and Einstein AI.
- All existing lead data should be audited for suspicious submissions with unusual instructions or formatting.
- Put in place strict input validation and prompt injection detection on all user-controlled data fields.
- Sanitize data from untrusted sources.
Summary
Noma Labs discovered ‘ForcedLeak’, a critical severity vulnerability chain in Agentforce, which might have enabled external attackers to exfiltrate sensitive CRM data through an indirect prompt injection attack.
The immediate risk has been addressed, Noma says.
Any organization using Salesforce Agentforce with Web-to-Lead functionality enabled, particularly those in sales, marketing, and customer acquisition workflows where external lead data was regularly processed by AI agents, might have been affected, according to the cybersecurity company.
A Salesforce spokesperson said: “Salesforce is aware of the vulnerability reported by Noma and has released patches that prevent output in Agentforce agents from being sent to untrusted URLs. The security landscape for prompt injection remains a complex and evolving area, and we continue to invest in strong security controls and work closely with the research community to help protect our customers as these types of issues surface.”
