Microsoft, Salesforce Patch AI Agent Data Leak Flaws

СLOUD SECURITY APPLICATION SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS Microsoft, Salesforce Patch AI Agent Data Leak Flaws Two recently fixed prompt injections in Salesforce Agentforce and Microsoft Copilot would have enabled an external attacker to leak sensitive data. Alexander Culafi,Senior News Writer,Dark Reading April 15, 2026 5 Min Read SOURCE: TECHA TUNGATEJA VIA ALAMY STOCK PHOTO One aspect of the "AI revolution" keeping security professionals up at night is the continued prevalence of prompt injection attacks that enable exfiltration of sensitive data — even against dominant vendors like Microsoft and Salesforce. Capsule Security, a vendor that sells AI agent runtime security, published research today concerning prompt injection vulnerabilities involving Salesforce Agentforce and Microsoft Copilot. Although both vulnerabilities have been addressed, the research is a reminder that the prompt injection remains an unsolved problem for large language models (LLMs).  In the case of the Salesforce flaw, which Capsule refers to as "PipeLeak," an attacker could insert malicious instructions into an untrusted lead capture form, which a Salesforce agent would interpret as a trusted prompt. The form in question is a public-facing customer relationship management (CRM) form that a prospective client may use on the Salesforce customer's website. Related:Microsoft Bets $10 Billion to Boost Japan's AI, Cybersecurity In an example prompt, Capsule instructed the agent to send all the leads it can find. There was no complex code or exploit as part of the instructions either — just a single line instructing Salesforce to list all the leads it can locate in the form email sent back to the attacker. "The vulnerability stems from a fundamental architectural flaw: Agent Flows process lead form inputs as trusted instructions rather than untrusted data," Capsule's Bar Kaduri wrote. "Because lead forms accept arbitrary text from external, unauthenticated users, an attacker can embed malicious prompts that override the agent's intended behavior." In parallel, Capsule refers to the Microsoft Copilot vulnerability as "ShareLeak." In this attack (CVE-2026-21520), which was granted a high-severity (7.5 CVSS) designation, an attacker would have been able to insert malicious code into a SharePoint form input, which triggers the connected Copilot data and returns customer data to an attacker-controlled email. Even when safety mechanisms flagged the attack, data was still exfiltrated.  Loading... The attack was a bit more involved and required a more complex command in order to override intended AI agent behavior, but like the Agentforce bug, it's a prompt injection triggered by a customer-facing form.  The Complexities of Human in the Loop In response to Capsule's report, Salesforce thanked the security vendor and addressed the prompt injection. However, regarding the data exfiltration component, Salesforce told Capsule (according to a response published in the blog post) that this is a configuration-specific issue and that customers can activate human-in-the-loop requirements as a configuration setting to prevent data leaking. Related:Why Orgs Need to Test Networks to Withstand DDoS Attacks During Peak Loads "We have determined this is a configuration-specific issue rather than a platform-level vulnerability," the CRM vendor said in the blog post. "To ensure security, our out-of-the-box (OOTB) email actions require human-in-the-loop (HITL) oversight. The same HITL requirement is available as a configuration setting for your custom actions to prevent unintentional data transfers/actions." Naor Paz, co-founder and CEO of Capsule Security, found it "very surprising" that Salesforce's response mostly boiled down to human in the loop configuration recommendations. "The whole thing about agents is they do things for you without you babysitting them, right?" he tells Dark Reading. As Paz explains, it's not how many organizations use AI tools. "We're seeing agents like Claude Code, for example, running for days, writing code, querying production databases, and doing many dangerous things autonomously," he says. "And I think their answer, like, 'Do human in the loop,' is just embarrassing, to be honest with you." In a statement, a Salesforce spokesperson tells Dark Reading that it is aware of the issue and has remediated it. Related:CSA: CISOs Should Prepare for Post-Mythos Exploit Storm "Prompt injection is an evolving challenge across the AI industry, and our approach includes layered safeguards designed to help mitigate these risks, including controls around instruction isolation, tool-use restrictions, and human oversight," Salesforce says in its response. "We continue to refine these safeguards and work with the security research community to enhance protections as these threats evolve." Capsule recommends organizations running Agentforce treat all lead form inputs as untrusted data, disallow Email Tool usage when processing untrusted inputs, apply input sanitation and prompt boundary techniques, require manual review before sending emails with CRM data, and to log all agent actions involving data access or external communication.  Prompt Injections Keep Doing Their Thing "As organizations rush to deploy AI agents across their operations, they inherit significant risks that existing security tools weren't designed to address," Kaduri wrote in a blog post discussing Microsoft's Copilot flaw. "The attack we demonstrated required no special access, no exploitation of traditional software vulnerabilities, and no advanced technical skills, just an understanding of how LLMs process instructions." Microsoft addressed CVE-2026-21520 following Capsule's report. Dark Reading has contacted the company for additional comment. Capsule Security's research acts as a reminder that the prompt injection isn't going anywhere for the foreseeable future. It's also hard to say how the landscape for these attacks might change as exploit-hunting capabilities like those found in Anthropic's Claude Mythos reach the threat actor masses.  Paz tells Dark Reading that in AI agent security, there's a concept called the "lethal trifecta," defined as the intersection of an agent with access to sensitive data, external exposure to untrusted content, and the ability to communicate externally. And when those three things exist together, data can be more easily manipulated. "It's not a resource problem," he says. "I think it's more of an approach problem, because all these large vendors, including Microsoft, still have to deal with this. They still don't have the right approaches to match this newer problem." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report QKS AI Maturity Matrix Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like СLOUD SECURITY 'InstallFix' Attacks Spread Fake Claude Code Sites by Rob Wright MAR 09, 2026 СLOUD SECURITY Fake AI Chrome Extensions Steal 900K Users' Data by Alexander Culafi JAN 08, 2026 СLOUD SECURITY Silk Typhoon Attacks North American Orgs in the Cloud by Nate Nelson, Contributing Writer AUG 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE