ForcedLeak Flaw in Salesforce Agentforce AI Agent Exposed CRM Data

A vulnerability dubbed ForcedLeak was recently discovered in Salesforce Agentforce, an AI-driven system designed to handle complex business tasks within CRM environments. Noma Security identified the critical flaw, which was initially rated CVSS 9.1 and later updated to 9.4, allowing remote attackers to steal private CRM data. The firm shared its research with Hackread.com.

****How the Attack Worked****

The problem lies in the autonomous way AI agents work. Unlike simple chatbots that are “prompt-response” systems, these agents can “reason, plan, and execute complex business tasks,” making them a considerably bigger target. The core issue here was an indirect prompt injection attack, which happens when a bad instruction is secretly placed inside data that the AI system later processes.

In the case of Agentforce, attackers used the commonly enabled Web-to-Lead feature, which lets website visitors submit information that goes straight into the CRM. By putting malicious code into a large input field, like the Description box, the attacker set a trap. When an employee later asked the AI agent a normal question about that lead data, the agent would mistakenly treat the hidden instruction as part of its job.

According to Noma Security’s blog post, its researchers found that the AI could not tell the difference “between legitimate data loaded into its context versus malicious instructions.” To prove the risk, they ran a Proof of Concept (PoC), using malicious code to force the AI to grab sensitive CRM data like email addresses. The code tricked the AI into stuffing the data inside the web address for an image. When the system viewed that image, the private data was transmitted to the researchers’ server, confirming the successful theft.

****Stolen Data and Immediate Fixes****

The data at risk included sensitive information like customer contact details, sales pipeline data revealing business strategy, internal communications, and historical records. The vulnerability impacted any organisation using Salesforce Agentforce with the Web-to-Lead feature enabled, especially those in sales and marketing.

The attack also involved exploiting an outdated part of the system’s security rules (Content Security Policy, or CSP). Researchers discovered that a domain (my-salesforce-cms.com) that was still considered ‘trusted’ had actually expired and was available to purchase for just $5. An attacker could use this expired, but trusted, domain to secretly send stolen data out of the system.

After being informed about the issue on July 28th, 2025, Salesforce quickly investigated. By September 8th, 2025, the company had implemented fixes, including enforcing “Trusted URLs” for Agentforce and its Einstein AI, to stop data from being sent to untrusted web addresses, and re-securing the expired domain.

The firm advised users to immediately “enforce Trusted URLs for Agentforce and Einstein AI” and audit all existing lead data for unusual submissions. The vulnerability was made public on September 25th, 2025.

In a statement to Hackread.com, a Salesforce spokesperson said that the company is aware of the vulnerability reported by Noma and has released patches to stop Agentforce agents from sending output to untrusted URLs.

“Salesforce is aware of the vulnerability reported by Noma and has released patches that prevent output in Agentforce agents from being sent to untrusted URLs. The security landscape for prompt injection remains a complex and evolving area, and we continue to invest in strong security controls and work closely with the research community to help protect our customers as these types of issues surface.”

Salesforce Spokesperson

****Why It’s Important****

The ForcedLeak flaw is particularly important to discuss in light of the massive Salesforce-linked data breaches that have surfaced this year. Salesforce sits at the heart of business operations for thousands of organisations, holding sensitive customer records, financial details, and sales strategies.

A vulnerability in its AI-powered Agentforce system means attackers could exploit a trusted platform not just to steal isolated records, but to automate large-scale data extraction through everyday business processes.

With CRM data often being the crown jewels for enterprises, combining AI vulnerabilities with already high-value Salesforce environments greatly increases the risk, making it critical for organisations to reassess their exposure and security controls.

****Expert View****

“It’s advisable to secure the systems around the AI agents in use, which include APIs, forms, and middleware, so that prompt injection is harder to exploit and less harmful if it succeeds,” said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck.

She stressed that true prevention is around maintaining configuration and establishing guardrails around the agent design, software supply chain, web application, and API testing.