Overview: A Critical Flaw in Salesforce AI Agents
Israel-based security firm Noma Security disclosed a critical vulnerability in Salesforce’s AI-driven Agentforce platform, naming the flaw ForcedLeak. The issue received a CVSS score of 9.4, placing it in the most dangerous category for autonomous AI agents that operate within CRM environments. Salesforce patched the vulnerability after the disclosure, but the incident underscores a broader class of risks tied to autonomous agents and the way they interpret and follow prompts.
What is Agentforce and why is it risky?
Agentforce is Salesforce’s solution for deploying autonomous AI agents that manage customer relationships. These agents can analyze inbound leads from contact forms, draft marketing proposals, respond to customers, and log interactions directly into a company’s CRM. Because they routinely access sensitive business data—customer contact details, lead information, deal stages, and internal notes—any vulnerability in how these agents operate can expose confidential information.
How ForcedLeak Worked: Indirect Prompt Injection
The core of the attack was an Indirect Prompt Injection technique. A threat actor filled a standard lead form with a covert instruction designed to cause the AI agent to fetch an external image resource. In effect, the agent treated part of the lead as a directive to load external content. The attacker crafted the instruction so that the agent would include fields from the CRM (names, phone numbers, lead summaries, etc.) in the outgoing request to the external server. To avoid triggering alarms, the attacker purchased an old domain that had once been associated with Salesforce verification, making the request appear superficially legitimate to the agent.
Why a Permissive External Fetch is Dangerous
When an autonomous agent is allowed to fetch external resources as part of its normal workflow, it creates a new surface for data exfiltration. If the request contains CRM data, the external channel can inadvertently become a leakage path. In ForcedLeak, the external fetch happened automatically and without human confirmation, meaning data could flow to the attacker’s server without a click or a formal authorization step.
What Data Could Have Been Exposed?
The potential leakage extended beyond Salesforce itself to the customer organizations using Agentforce. Any CRM data accessible to the agent—including customer contact details, lead attributes, notes, and interaction histories—could be transmitted to an attacker-controlled server via the external resource call. In practice, this means a seemingly legitimate form submission could reveal sensitive business information or private customer data, undermining both privacy and competitive integrity.
Industry and Vendor Response
Salesforce acted to remediate the vulnerability once detected. The ForcedLeak disclosure highlights a trend in which the security of AI-enabled tools depends not only on code correctness but also on guardrails around autonomous decision-making. It also raises questions about how vendors verify the safety of external content requests and how customers should regulate data access for AI agents within CRMs.
Mitigation and Best Practices
Organizations that use AI agents in CRM environments should implement layered protections to reduce the risk of indirect prompt injection and data leakage:
- Limit external content loading: Restrict or sandbox any agent-driven requests to external resources unless strictly necessary and whitelisted.
- Strengthen domain verification: Use strict, time-bound allowlists and continuous domain reputation checks for any external requests made by AI agents.
- Data minimization: Configure agents to access only the data absolutely required for their tasks; implement data masking where possible.
- Robust monitoring and auditing: Enable detailed logs of prompts, agent actions, and outbound requests; set up anomaly detection for unusual data flows.
- Role-based access controls: Enforce strict permissions to limit what agents can fetch and modify within the CRM.
- Incident response readiness: Develop playbooks for AI-related data leakage scenarios, including rapid containment and notification processes.
About Noma Security
Founded in 2023 by Niv Brown and Alon Troon, Noma Security has emerged as a leader in AI risk management and threat discovery. Since its inception, the company has raised significant funding and focuses on helping enterprises adopt AI technologies without compromising data security. The ForcedLeak disclosure serves as a reminder that AI-enabled workflows require equally sophisticated governance and monitoring.
Takeaway for Businesses
As AI agents become more capable inside business workflows, the boundary between automation and data exposure grows thinner. The ForcedLeak case demonstrates that even well-meaning automations can become vectors for leakage if control mechanisms are not robust. Enterprises should reassess how their AI agents access CRM data, continuously monitor for indirect prompt injection patterns, and implement strong external-fetch safeguards to preserve data integrity and privacy.
